Bug 1009371 - bkr client shows SSL certificate verification error when editing access policy
bkr client shows SSL certificate verification error when editing access policy
Product: Beaker
Classification: Community
Component: command line (Show other bugs)
Unspecified Unspecified
high Severity high (vote)
: 0.15
: ---
Assigned To: Dan Callaghan
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2013-09-18 06:06 EDT by xjia
Modified: 2018-02-05 19:41 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-01-20 19:31:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 3 Dan Callaghan 2013-09-18 19:17:42 EDT
This error is expected if the Beaker server's SSL cert is signed by a CA not trusted by requests. The requests package in Fedora (and eng-rhel-6) has been patched to check CA certs from the system-wide trust store in /etc/pki/tls/certs/.
Comment 5 Dan Callaghan 2013-09-18 21:09:20 EDT
Looking closer, it seems requests will only load CA certificates from /etc/pki/tls/certs/ca-bundle.crt, it *won't* do the OpenSSL hashed directory lookup in /etc/pki/tls/certs/ so just adding a custom certificate there will not work.

So it will work if you append the custom certificate to /etc/pki/tls/certs/ca-bundle.crt but it may not be reasonable to require people to do that. Incidentally Fedora 19 has a solution to this [1] but that doesn't help us on RHEL6.

We should probably add an option in the client config to point at a particular CA certificate rather than the system default one.

[1] http://fedoraproject.org/wiki/Features/SharedSystemCertificates
Comment 6 Dan Callaghan 2013-09-18 21:29:44 EDT
On Gerrit: http://gerrit.beaker-project.org/2278
Comment 12 Nick Coghlan 2013-10-02 22:30:13 EDT
Beaker 0.15 has been released.

Note You need to log in before you can comment on or make changes to this bug.