Bug 998334

Summary: RFE: Provide a way to disable ssl cert checks
Product: [Community] PressGang CCMS Reporter: Lee Newson <lnewson>
Component: CSProcessorAssignee: Lee Newson <lnewson>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.xCC: mcaspers
Target Milestone: ---   
Target Release: 1.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-03 22:16:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lee Newson 2013-08-19 05:01:24 UTC
When connecting to internal URLs the SSL Certification checks fail because the internal SSL Certificates are signed by an internal CA. As such it would be a lot easier (although less secure) if you could just disable the ssl certificate validation (ie something like --disable-ssl-cert)

Comment 1 Lee Newson 2013-11-08 02:34:42 UTC
Added in 1.3-SNAPSHOT build 201311081229

The csprocessor now has a --disable-ssl-cert option on the push-translation command to disable the ssl certification validation.

Comment 3 Lee Newson 2013-11-25 01:55:37 UTC
I've also added this option to the sync-translation command for cspclient-1.3-3.noarch.rpm

Additional testing notes:

The best way to test this is to remove the Red Hat IS CA Cert by running the following command:

keytool -delete -alias rhiscacert -keystore keystore.jks

and then run a command that connects to the internal zanata instance with the --disable-ssl-cert option set. If you then get past the connecting stage (ie it'll say "Connection to Zanata server: ..."), then this option works.

Comment 4 Lee Newson 2013-11-25 02:00:19 UTC
Forgot to mention that keystore.jks should be the location of your java installs cacerts file. The path below shows an example of the location of this file:

/usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/cacerts

Note: For OpenJDK installs on Fedora/RHEL the above is normally a simlink to /etc/pki/java/cacerts

Comment 6 Matthew Casperson 2013-11-27 20:46:03 UTC
There were no errors when I tried --disable-ssl-cert against the test zanata instance. The test zanata instance doesn't implement HTTPS though.

Comment 9 Lee Newson 2013-11-27 23:51:11 UTC
Fixed in 1.3-SNAPSHOT build 201311280944

The name of the resource was incorrect and also I had missed passing through the disable option for sync-translation in the initial host check.

Comment 12 Matthew Casperson 2013-11-28 00:58:17 UTC
Ignore the above error. I tested a sync without a cert against the dev server and it worked ok.