Bug 1680063

Summary: python2-certifi points to the wrong location
Product: OpenShift Container Platform Reporter: Pablo Alonso Rodriguez <palonsor>
Component: Service BrokerAssignee: Shawn Hurley <shurley>
Status: CLOSED ERRATA QA Contact: Zihan Tang <zitang>
Severity: high Docs Contact:
Priority: high    
Version: 3.11.0CC: aos-bugs, chezhang, cprocter, jmontleo, vmeghana
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-06 02:00:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pablo Alonso Rodriguez 2019-02-22 16:21:43 UTC 
Description of problem:

Package python2-certifi points to the same CA location than the upstream version "/usr/lib/python2.7/site-packages/certifi/cacert.pem" as per:

$ python -m certifi
/usr/lib/python2.7/site-packages/certifi/cacert.pem

But does not bundle the cacert.pem file as per:

$ rpm -ql python2-certifi | grep /usr/lib/python2.7/site-packages/certifi/cacert.pem

$

It should either include the file or point to the system bundle (as the Fedora version does):

$ python -m certifi
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Version-Release number of the following components:

$ rpm -q python2-certifi
python2-certifi-2018.4.16-1.el7.noarch

How reproducible:

Always

Steps to Reproduce:

$ python -m certifi
/usr/lib/python2.7/site-packages/certifi/cacert.pem

Actual results:

Pointing to a non-existent file

Expected results:

Either the following:

$ python -m certifi
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Or the package should include /usr/lib/python2.7/site-packages/certifi/cacert.pem
Comment 2 Scott Dodson 2019-02-28 14:49:15 UTC 
Package appears to be maintained by Jason Montleon for ASB / APB usage.
Comment 3 Jason Montleon 2019-02-28 18:00:08 UTC 
Fedora dealt with it like so: https://src.fedoraproject.org/rpms/python-certifi/blob/master/f/certifi-2018.10.15-use-system-cert.patch
Comment 9 Zihan Tang 2019-04-15 09:11:30 UTC 
@Pablo, thanks for your clarification,
/etc/pki/tls/certs/ca-bundle.crt  is system file.
 
bash-4.2$ ls /etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.crt

Move to Verified.
Comment 10 Zihan Tang 2019-04-15 09:17:53 UTC 
This is also fixed in v4.0+
Comment 12 errata-xmlrpc 2019-06-06 02:00:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0794