Bug 454129

Summary: CA certificate missing for launchpad, bzr fails
Product: [Fedora] Fedora Reporter: Gene Czarcinski <gczarcinski>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-05 19:29:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gene Czarcinski 2008-07-05 05:29:01 UTC 
Description of problem:

bzr launchpad-login xxxx failes with:

pycurl.error: (60, 'Peer certificate cannot be authenticated with known CA
certificates')

In Fedora 9, the python-pycurl package was added to the required for bzr.

If python-pycurl is not installed, bzr works but does not authenticate
launchpad's certificate.  The situation was also true in Fedora 8, but, with no
python-pycurl package, bzr worked.

Rather than using bzr, the situation/problem can be tested with:

python /usr/lib64/python2.5/site-packages/curl/__init__.py

Using https://launchpad.net fails

Using https://www.redhat.com works

When I first reported this to bzr bugs https://bugs.launchpad.net/bugs/245634
another user claimed that the problem was fixed on debian by installing their
ca-certificates package: 
http://packages.debian.org/unstable/misc/ca-certificates

This tells me that debian has the right CA cert but Fedora does not.

This is impacting my ability to use bsr since I must identify myself
(launchpad-login) to be able to "push" files up to launchpad.


Version-Release number of selected component (if applicable):
Fedora 9, openssl-0.9.8g-9.fc9

How reproducible:
yes
Comment 1 Gene Czarcinski 2008-07-05 13:51:19 UTC 
I believe that I have some proof that the bzr problem with https://launchpad.net
 is a missing CA cert.  First, I installed "curl" to have a nice command line
interface.

1. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://www.redhat.com
result: html

2. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://launchpad.net
result: curl: (60) Peer certificate cannot be authenticated ...
-----------------------------------------------------
get new cacert.pem from http://curl.haxx.se/docs/caextract.html
[curl website]
-----------------------------------------------------
3. run: curl --cacert ./cacert https://www.redhat.com
result: html

4. run: curl --cacert ./cacert https://launchpad.net
result: html ... looking good!
-----------------------------------------------------
This proves something but I am not sure what because if I copy the new
cacert.pem into /etc/pki/tls/certs/ and try to use it from there, redhat works
but launchpad does not.

OK, one more test:  copy /etc/pki/tls/certs/ca-bundle.crt to ./ [this is openssl's]

run curl --cacert ./ca-bundle.crt https://launchpad.net
result: html

I thought I had it but this now looks like it might be a problem with curl/libcurl.

I am going to open a problem with curl but will leave this one open for a while.

Anything helpful will be appreciated.
Comment 2 Gene Czarcinski 2008-07-05 19:29:35 UTC 
This is looking more and more like libcurl so I am going to close this.

The real problem could still be something in openssl but it sure does not look
like it.  More info:
https://bugzilla.redhat.com/show_bug.cgi?id=454151