Bug 1142376

Summary: pulp.bindings.server.DEFAULT_CA_PATH does not point to a valid certificate pack
Product: [Retired] Pulp Reporter: Randy Barlow <rbarlow>
Component: API/integrationAssignee: Chris Duryee <cduryee>
Status: CLOSED UPSTREAM QA Contact: Preethi Thomas <pthomas>
Severity: medium Docs Contact:
Priority: high    
Version: 2.4.0CC: cduryee, pthomas
Target Milestone: ---Keywords: Triaged
Target Release: 2.6.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-28 22:20:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Randy Barlow 2014-09-16 16:24:50 UTC 
Description of problem:
pulp.bindings.server.DEFAULT_CA_PATH is set to '/etc/pki/tls/certs/' when it should be set to '/etc/pki/tls/certs/ca-bundle.crt'. This means that the bindings will not work with real root certificates unless the user explicitly sets the PulpConnection's ca_path __init__ parameter explicitly.

Version-Release number of selected component (if applicable):
2.4.0-1

How reproducible:
Every time

Steps to Reproduce:
1. Use the Pulp bindings to make a connection to a server that is using an SSL certificate that is signed by a CA that you have installed into /etc/pki/tls/certs/ca-bundle.crt, but do not pass the ca_path parameter to PulpConnection.__init__().

Actual results:
You should see an SSL trust failure raised from M2Crypto.

Expected results:
By default, we should work with root certificates installed at /etc/pki/tls/certs/ca-bundle.crt with no additional configuration.
Comment 1 Chris Duryee 2014-09-19 18:06:13 UTC 
https://github.com/pulp/pulp/pull/1167
Comment 2 Chris Duryee 2014-09-22 18:55:53 UTC 
merged to 2.5-dev and master
Comment 3 Chris Duryee 2014-12-23 20:52:26 UTC 
fixed in pulp 2.6.0-0.2.beta
Comment 4 Preethi Thomas 2015-02-04 14:50:53 UTC 
verified
Default in server.conf is
[database]

# verify_ssl: true
# ca_path: /etc/pki/tls/certs/ca-bundle.crt
Comment 5 Brian Bouterse 2015-02-28 22:20:41 UTC 
Moved to https://pulp.plan.io/issues/531