Bug 1009371

Summary: bkr client shows SSL certificate verification error when editing access policy
Product: [Retired] Beaker Reporter: xjia <xjia>
Component: command lineAssignee: Dan Callaghan <dcallagh>
Status: CLOSED CURRENTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: high Docs Contact:
Priority: high    
Version: developCC: aigao, asaha, dcallagh, llim, qwan, rmancy, xtian
Target Milestone: 0.15Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-21 00:31:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 2 Amit Saha 2013-09-18 16:49:21 UTC 
http://stackoverflow.com/questions/10667960/python-requests-throwing-up-sslerror ?
Comment 3 Dan Callaghan 2013-09-18 23:17:42 UTC 
This error is expected if the Beaker server's SSL cert is signed by a CA not trusted by requests. The requests package in Fedora (and eng-rhel-6) has been patched to check CA certs from the system-wide trust store in /etc/pki/tls/certs/.
Comment 5 Dan Callaghan 2013-09-19 01:09:20 UTC 
Looking closer, it seems requests will only load CA certificates from /etc/pki/tls/certs/ca-bundle.crt, it *won't* do the OpenSSL hashed directory lookup in /etc/pki/tls/certs/ so just adding a custom certificate there will not work.

So it will work if you append the custom certificate to /etc/pki/tls/certs/ca-bundle.crt but it may not be reasonable to require people to do that. Incidentally Fedora 19 has a solution to this [1] but that doesn't help us on RHEL6.

We should probably add an option in the client config to point at a particular CA certificate rather than the system default one.

[1] http://fedoraproject.org/wiki/Features/SharedSystemCertificates
Comment 6 Dan Callaghan 2013-09-19 01:29:44 UTC 
On Gerrit: http://gerrit.beaker-project.org/2278
Comment 12 Nick Coghlan 2013-10-03 02:30:13 UTC 
Beaker 0.15 has been released.