Bug 1659132

Summary: Incorrect location used for system certs
Product: [Fedora] Fedora Reporter: John Dennis <jdennis>
Component: python-certifiAssignee: William Moreno <williamjmorenor>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: bperkins, pviktori, williamjmorenor
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-certifi-2018.10.15-3.fc28 python-certifi-2018.10.15-3.fc29 python-certifi-2018.10.15-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-28 08:11:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John Dennis 2018-12-13 16:20:50 UTC
The certifi patch to use the system certs uses this pathname:

/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Anything under /etc/pki/ca-trust is "private" for use by the ca-trust subsystem as a ca-trust implementation detail. The ca-trust subsystem is free to change it's implementation because the "public" access to the certs is accessed through the (Red Hat) standardized /etc/pki/tls/certs directory via symlinks. Likewise the symlinks provide freedom to have a package other than ca-trust manage system certs.

FYI, the python-requests patch correctly points to:

/etc/pki/tls/certs/ca-bundle.crt

This is documented in the update-ca-certs man page.

Granted, it is true that currently /etc/pki/tls/certs/ca-bundle.crt is symlinked to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem but that is meant to provide an abstraction for system certs much like how the alternatives package works or how we symlink major versions of the python interpreter to explicit versions.

where() should return /etc/pki/tls/certs/ca-bundle.crt

The variable f is no longer referenced and it is meaningless to call os.path.join() with a single argument. The original patch should have just removed that code.

Comment 1 John Dennis 2018-12-13 16:28:51 UTC
pull request created
https://src.fedoraproject.org/rpms/python-certifi/pull-request/2

Comment 2 Fedora Update System 2018-12-13 17:23:27 UTC
python-certifi-2018.10.15-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-baf220b7a8

Comment 3 Fedora Update System 2018-12-13 17:31:14 UTC
python-certifi-2018.10.15-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a58f4729b3

Comment 4 Fedora Update System 2018-12-13 17:38:40 UTC
python-certifi-2018.10.15-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b20c4bc609

Comment 5 Fedora Update System 2018-12-15 03:19:37 UTC
python-certifi-2018.10.15-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b20c4bc609

Comment 6 Fedora Update System 2018-12-28 08:11:18 UTC
python-certifi-2018.10.15-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2018-12-28 09:02:16 UTC
python-certifi-2018.10.15-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Petr Viktorin 2019-01-03 17:05:25 UTC
A BuildRequires for the old path still remains in the spec file:

# Force requeriments to this file provides vi the ca-certificates
# any change to this file path will make the build file and avoid
# a broken symlink in the rpm.
BuildRequires:  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

IMO that should be changed to:

# Require the system certificate bundle (/etc/pki/tls/certs/ca-bundle.crt)
BuildRequires: ca-certificates

Comment 10 Fedora Update System 2019-03-12 16:33:15 UTC
python3-zope-event-4.2.0-3.el7 python3-zope-interface-4.3.3-4.el7 python-aiosmtpd-1.0-3.el7 python-arrow-0.8.0-4.el7 python-asn1crypto-0.24.0-7.el7 python-astroid-1.4.9-3.el7 python-atpublic-0.5-2.el7 python-attrs-17.4.0-4.el7 python-backports_abc-0.5-2.el7 python-bitarray-0.8.3-2.el7 python-blessed-1.14.1-3.el7 python-blosc-1.2.8-5.el7 python-bottle-0.12.13-2.el7 python-breathe-4.2.0-4.el7 python-bsddb3-6.2.6-4.el7 python-cached_property-1.5.1-2.el7 python-camel-0.1.2-2.el7 python-catkin-sphinx-0.2.2-3.el7 python-certifi-2018.10.15-4.el7 python-chai-1.1.1-5.el7 python-click-6.7-8.el7 python-clyent-1.2.2-3.el7 python-collada-0.4-16.el7 python-colorclass-2.2.0-3.el7 python-contextlib2-0.5.1-3.el7 python-cookies-2.2.1-8.el7 python-cov-core-1.15.0-9.el7 python-crypto-2.6.1-16.el7 python-cytoolz-0.9.0.1-4.el7 python-datadog-0.23.0-3.el7 python-ddt-1.1.3-2.el7 python-defusedxml-0.5.0-2.el7 python-distlib-0.2.7-3.el7 python-distutils-extra-2.39-8.el7 python-dockerpty-0.4.1-10.el7 python-docopt-0.6.2-8.el7 python-easyargs-0.9.4-3.el7 python-easygui-0.96-20.el7 python-ecdsa-0.13-10.el7 python-empy-3.3.3-2.el7 python-enlighten-1.1.0-2.el7 python-execnet-1.2.0-7.el7 python-falcon-1.4.1-2.el7 python-flexmock-0.10.2-5.el7 python-flufl-bounce-2.3-6.el7 python-flufl-i18n-1.1.3-6.el7 python-flufl-lock-2.4.1-6.el7 python-flufl-testing-0.4-6.el7 python-freezegun-0.1.19-2.el7 python-gammu-2.11-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-0d62608bce

Comment 11 Fedora Update System 2019-03-12 22:42:43 UTC
python-aiosmtpd-1.0-3.el7, python-arrow-0.8.0-4.el7, python-asn1crypto-0.24.0-7.el7, python-astroid-1.4.9-3.el7, python-atpublic-0.5-2.el7, python-attrs-17.4.0-4.el7, python-backports_abc-0.5-2.el7, python-bitarray-0.8.3-2.el7, python-blessed-1.14.1-3.el7, python-blosc-1.2.8-5.el7, python-bottle-0.12.13-2.el7, python-breathe-4.2.0-4.el7, python-bsddb3-6.2.6-4.el7, python-cached_property-1.5.1-2.el7, python-camel-0.1.2-2.el7, python-catkin-sphinx-0.2.2-3.el7, python-certifi-2018.10.15-4.el7, python-chai-1.1.1-5.el7, python-click-6.7-8.el7, python-clyent-1.2.2-3.el7, python-collada-0.4-16.el7, python-colorclass-2.2.0-3.el7, python-contextlib2-0.5.1-3.el7, python-cookies-2.2.1-8.el7, python-cov-core-1.15.0-9.el7, python-crypto-2.6.1-16.el7, python-cytoolz-0.9.0.1-4.el7, python-datadog-0.23.0-3.el7, python-ddt-1.1.3-2.el7, python-defusedxml-0.5.0-2.el7, python-distlib-0.2.7-3.el7, python-distutils-extra-2.39-8.el7, python-dockerpty-0.4.1-10.el7, python-docopt-0.6.2-8.el7, python-easyargs-0.9.4-3.el7, python-easygui-0.96-20.el7, python-ecdsa-0.13-10.el7, python-empy-3.3.3-2.el7, python-enlighten-1.1.0-2.el7, python-execnet-1.2.0-7.el7, python-falcon-1.4.1-2.el7, python-flexmock-0.10.2-5.el7, python-flufl-bounce-2.3-6.el7, python-flufl-i18n-1.1.3-6.el7, python-flufl-lock-2.4.1-6.el7, python-flufl-testing-0.4-6.el7, python-freezegun-0.1.19-2.el7, python-gammu-2.11-3.el7, python3-zope-event-4.2.0-3.el7, python3-zope-interface-4.3.3-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-0d62608bce

Comment 12 Fedora Update System 2019-04-03 18:50:43 UTC
python-aiosmtpd-1.0-3.el7, python-arrow-0.8.0-4.el7, python-asn1crypto-0.24.0-7.el7, python-astroid-1.4.9-3.el7, python-atpublic-0.5-2.el7, python-attrs-17.4.0-4.el7, python-backports_abc-0.5-2.el7, python-bitarray-0.8.3-2.el7, python-blessed-1.14.1-3.el7, python-blosc-1.2.8-5.el7, python-bottle-0.12.13-2.el7, python-breathe-4.2.0-4.el7, python-bsddb3-6.2.6-4.el7, python-cached_property-1.5.1-2.el7, python-camel-0.1.2-2.el7, python-catkin-sphinx-0.2.2-3.el7, python-certifi-2018.10.15-4.el7, python-chai-1.1.1-5.el7, python-click-6.7-8.el7, python-clyent-1.2.2-3.el7, python-collada-0.4-16.el7, python-colorclass-2.2.0-3.el7, python-contextlib2-0.5.1-3.el7, python-cookies-2.2.1-8.el7, python-cov-core-1.15.0-9.el7, python-crypto-2.6.1-16.el7, python-cytoolz-0.9.0.1-4.el7, python-datadog-0.23.0-3.el7, python-ddt-1.1.3-2.el7, python-defusedxml-0.5.0-2.el7, python-distlib-0.2.7-3.el7, python-distutils-extra-2.39-8.el7, python-dockerpty-0.4.1-10.el7, python-docopt-0.6.2-8.el7, python-easyargs-0.9.4-3.el7, python-easygui-0.96-20.el7, python-ecdsa-0.13-10.el7, python-empy-3.3.3-2.el7, python-enlighten-1.1.0-2.el7, python-execnet-1.2.0-7.el7, python-falcon-1.4.1-2.el7, python-flexmock-0.10.2-5.el7, python-flufl-bounce-2.3-6.el7, python-flufl-i18n-1.1.3-6.el7, python-flufl-lock-2.4.1-6.el7, python-flufl-testing-0.4-6.el7, python-freezegun-0.1.19-2.el7, python-gammu-2.11-3.el7, python3-zope-event-4.2.0-3.el7, python3-zope-interface-4.3.3-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.