Bug 727449

Summary: fetch-crl lacks a dependency, leading to failing ssl-downloads.
Product: [Fedora] Fedora EPEL Reporter: Ulf Tigerstedt <tigerste>
Component: fetch-crlAssignee: Steve Traylen <steve.traylen>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: el6CC: davidg, steve.traylen
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-14 09:37:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ulf Tigerstedt 2011-08-02 07:55:34 UTC 
Description of problem:

Without manually installing perl-IO-Socket-SSL fetch-crl can't fetch
CRL-files from https:// urls.
This is mostly visible with NAREGI, which has a URL of 
http://www.naregi.org/ca/out-CRL2.crl , which is redirected to an https address.

Version-Release number of selected component (if applicable):

fetch-crl-3.0.7-1.el6.noarch

How reproducible:

Install fetch-crl and the EGI trustancor CA distribution on a bare machine, run
fetchcrl. It will always fail downloading from NAREGI.
By manually installing the perl-IO-Socket-SSL rpm, it works without problems.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Tested on both RHEL6.1 and Scientific Linux 6.
Comment 1 David Groep 2011-08-02 08:21:11 UTC 
FYI: the NAREGI CA has been informed of this issue and should revert back to a plain http URL (without redirect to https) for downloading the CRL. It is expected that the specific reported error will thus disappear shortly.

Nominally, the fetch-crl tool itself does not have a /necessary/ dependency on SSL sockets, since it only needs it if your list of CRL URLs contains or uses one of the ssl-based protocols. I happily leave it to Steve Traylen to decide on this bug as for the Fedora/EPEL packaging.
Comment 2 Steve Traylen 2011-08-14 09:37:05 UTC 
Given Naregi is going to change I will do nothing, if however a CA appears
within IGTF that is https then I will add the dependency.

Steve.