Bug 1009371
Summary: | bkr client shows SSL certificate verification error when editing access policy | ||
---|---|---|---|
Product: | [Retired] Beaker | Reporter: | xjia <xjia> |
Component: | command line | Assignee: | Dan Callaghan <dcallagh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | tools-bugs <tools-bugs> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | develop | CC: | aigao, asaha, dcallagh, llim, qwan, rmancy, xtian |
Target Milestone: | 0.15 | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-01-21 00:31:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Comment 2
Amit Saha
2013-09-18 16:49:21 UTC
This error is expected if the Beaker server's SSL cert is signed by a CA not trusted by requests. The requests package in Fedora (and eng-rhel-6) has been patched to check CA certs from the system-wide trust store in /etc/pki/tls/certs/. Looking closer, it seems requests will only load CA certificates from /etc/pki/tls/certs/ca-bundle.crt, it *won't* do the OpenSSL hashed directory lookup in /etc/pki/tls/certs/ so just adding a custom certificate there will not work. So it will work if you append the custom certificate to /etc/pki/tls/certs/ca-bundle.crt but it may not be reasonable to require people to do that. Incidentally Fedora 19 has a solution to this [1] but that doesn't help us on RHEL6. We should probably add an option in the client config to point at a particular CA certificate rather than the system default one. [1] http://fedoraproject.org/wiki/Features/SharedSystemCertificates On Gerrit: http://gerrit.beaker-project.org/2278 Beaker 0.15 has been released. |