SE-1213 Fix InCommon cert issues

Description

Recently, Incommon have made some changes with certificates which affect
the provisioning process for notifier. Namely:

The ssl certificate on www.incommon.org has changed, causing the
certificate verification during deployment to fail. The certificate is
valid, but is based on a different (newer) chain of trust.

The second issue (which is hidden by the first), is that the server CA
url that is retrieved in this step is non-existent (404).

We have been investigating the issue and have discovered that Incommon
previously documented the InCommon Server CA on their wiki at
https://spaces.at.internet2.edu/display/ICCS/InCommon+Cert+Types . On
June 11, info about this CA was removed. The last revision to have these
docs is: https://spaces.at.internet2.edu/pages/viewpage.action?pageId=152176663&navigatingVersions=true

This server CA was SHA-1, and Incommon have a SHA-2 server CA documented on the
same page. I'm not sure if they are used for similar purposes and this newer
one directly replaces the older one or not. It does appear that the SHA-1 cert
could have been removed since SHA-1 has been deprecated for a long time (see
https://spaces.at.internet2.edu/display/InCFederation/2014/05/07/Phasing+Out+SHA-1#PhasingOutSHA-1-SHA-1andX.509Certificates
).

This PR includes a potential fix: it installs the newer Incommon server
CA that appears to have replaced the previous one. It downloads it from
the url as documented on [InCommon's wiki](https://spaces.at.internet2.edu/display/ICCS/InCommon+Cert+Types).

The remaining question though is whether this particular CA was
installed and kept in the notifier deployment for a certain reason that
may only be apparent at runtime in the notifier. It may be helpful if
someone knew what the original purpose was. For reference, it was added
in PR #194, commit https://github.com/edx/configuration/pull/194/commits/7029a28d38694cf8366b3a3fd8a3a0794e98228b

*JIRA tickets*: TBD

*Dependencies*: None

*Merge deadline*: "None"

*Testing instructions*:

1. Run an openedx deployment using this configuration and notifier
deployment enabled.
2. unknown: TBD when the purpose of the certificate is determined

*Author notes and concerns*:

1. We are aware that there is a glitch affecting the UI for this feature in the following way: ...
Currently looking for ways to fix it.
2. We tried to optimize for accessibility, but there are still some open questions: ...

*Reviewers*

  • [ ] @lgp171188

  • [ ] edX reviewer[s] TBD

Status

Assignee

Unassigned

Reporter

Open Source Pull Request Bot

Contributor Name

Samuel Walladge

Repo

edx/configuration

Customer

Epic Link

None

OSCM Assignee

None

Priority

Unset
Configure