Bug 2049484

Summary: Expired certificate in bundled botocore
Product: Red Hat Enterprise Linux 7 Reporter: Reid Wahl <nwahl>
Component: python-s3transferAssignee: Oyvind Albrigtsen <oalbrigt>
Status: ASSIGNED --- QA Contact: cluster-qe <cluster-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.9Keywords: Security
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Reid Wahl 2022-02-02 10:33:24 UTC 
Description of problem:

The cacert.pem bundled in python-s3transfer's botocore libs is expired. Customer reported. Confirmed below.

[root@fastvm-rhel-7-6-21 requests]# pwd
/usr/lib/fence-agents/bundled/botocore/vendored/requests
[root@fastvm-rhel-7-6-21 requests]# openssl verify -CAfile cacert.pem cacert.pem
cacert.pem: C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root
error 10 at 0 depth lookup:certificate has expired
OK

This package gets pulled in by python-boto3 (for fence-agents-aws) on RHEL 7.

-----

Version-Release number of selected component (if applicable):

python-s3transfer-0.1.13-1.el7

-----

How reproducible:

Always

-----

Steps to Reproduce:
1. cd /usr/lib/fence-agents/bundled/botocore/vendored/requests
2. openssl verify -CAfile cacert.pem cacert.pem

-----

Actual results:

cacert.pem: C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root
error 10 at 0 depth lookup:certificate has expired
OK

-----

Expected results:

Not expired
Comment 4 Oyvind Albrigtsen 2022-02-04 15:53:12 UTC 
The cert is getting updated in bz#2050751, and seems to solve this issue.

# cd /usr/lib/fence-agents/bundled/botocore/
# openssl verify -CAfile cacert.pem cacert.pem
cacert.pem: OK