Red Hat Bugzilla – Bug 1009371
bkr client shows SSL certificate verification error when editing access policy
Last modified: 2015-07-19 20:52:30 EDT
This error is expected if the Beaker server's SSL cert is signed by a CA not trusted by requests. The requests package in Fedora (and eng-rhel-6) has been patched to check CA certs from the system-wide trust store in /etc/pki/tls/certs/.
Looking closer, it seems requests will only load CA certificates from /etc/pki/tls/certs/ca-bundle.crt, it *won't* do the OpenSSL hashed directory lookup in /etc/pki/tls/certs/ so just adding a custom certificate there will not work.
So it will work if you append the custom certificate to /etc/pki/tls/certs/ca-bundle.crt but it may not be reasonable to require people to do that. Incidentally Fedora 19 has a solution to this  but that doesn't help us on RHEL6.
We should probably add an option in the client config to point at a particular CA certificate rather than the system default one.
On Gerrit: http://gerrit.beaker-project.org/2278
Beaker 0.15 has been released.