Red Hat Bugzilla – Bug 103358
New repo backend design has unhandled exceptions
Last modified: 2007-04-18 12:57:14 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703
Description of problem:
Whilst trying a routine up2date the certificate for xmlrpc.rhn.redhat.com was
not signed by RHNS-CA-CERT so an SSL Error was obtained.
SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify
from up2date_client import repoDirector
in repoDirector there is a call in the header
channels = rhnChannel.getChannels()
which in turn calls login() which can return an SSL.Error from the xmlrpc backend.
This leaves a nasty python stacktrace. As this is not in main() of wrapper.py
it isn't caught.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Replace RHNS-CA-CERT with a invalid one (or break it server side):
openssl genrsa -out server.key 1024
openssl req -new -x509 -days 365 -key server.key -out server.crt
openssl x509 -noout -text -in server.crt > RHNS-CA-CERT
2. replace cert or point up2date at invalid one
3. run up2date -l
Actual Results: Stack trace
Expected Results: A nice error message should be printed
Created attachment 94063 [details]
Patch to handle exception on import
This handles the exception at the outermost level of up2date.
Thanks for the patch. I think I fixed this by rearraging some
of the module imports so ssl errors dont happen when importing
repoDirector. The old ssl error catching code seems to work
with the new org.
3.9.19 should have it, if not 3.9.21 at least does.
[root@enki rhn]# rpm -q up2date
[root@enki rhn]# grep CA up2date
sslCACert[comment]=The CA cert used to verify the ssl server
[root@enki rhn]# up2date -l
There was an SSL error: 
A common cause of this error is the system time being incorrect.
Verify that the time on this system is correct.