Bug 1009371 - bkr client shows SSL certificate verification error when editing access policy
Summary: bkr client shows SSL certificate verification error when editing access policy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Retired
Component: command line
Version: develop
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: 0.15
Assignee: Dan Callaghan
QA Contact: tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-18 10:06 UTC by xjia
Modified: 2018-02-06 00:41 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-21 00:31:46 UTC
Embargoed:


Attachments (Terms of Use)

Comment 3 Dan Callaghan 2013-09-18 23:17:42 UTC
This error is expected if the Beaker server's SSL cert is signed by a CA not trusted by requests. The requests package in Fedora (and eng-rhel-6) has been patched to check CA certs from the system-wide trust store in /etc/pki/tls/certs/.

Comment 5 Dan Callaghan 2013-09-19 01:09:20 UTC
Looking closer, it seems requests will only load CA certificates from /etc/pki/tls/certs/ca-bundle.crt, it *won't* do the OpenSSL hashed directory lookup in /etc/pki/tls/certs/ so just adding a custom certificate there will not work.

So it will work if you append the custom certificate to /etc/pki/tls/certs/ca-bundle.crt but it may not be reasonable to require people to do that. Incidentally Fedora 19 has a solution to this [1] but that doesn't help us on RHEL6.

We should probably add an option in the client config to point at a particular CA certificate rather than the system default one.

[1] http://fedoraproject.org/wiki/Features/SharedSystemCertificates

Comment 6 Dan Callaghan 2013-09-19 01:29:44 UTC
On Gerrit: http://gerrit.beaker-project.org/2278

Comment 12 Nick Coghlan 2013-10-03 02:30:13 UTC
Beaker 0.15 has been released.


Note You need to log in before you can comment on or make changes to this bug.