From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703 Description of problem: Whilst trying a routine up2date the certificate for xmlrpc.rhn.redhat.com was not signed by RHNS-CA-CERT so an SSL Error was obtained. ... SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')] essentially try: from up2date_client import repoDirector ... in repoDirector there is a call in the header channels = rhnChannel.getChannels() which in turn calls login() which can return an SSL.Error from the xmlrpc backend. This leaves a nasty python stacktrace. As this is not in main() of wrapper.py it isn't caught. Version-Release number of selected component (if applicable): up2date-3.9.15 How reproducible: Always Steps to Reproduce: 1. Replace RHNS-CA-CERT with a invalid one (or break it server side): openssl genrsa -out server.key 1024 openssl req -new -x509 -days 365 -key server.key -out server.crt openssl x509 -noout -text -in server.crt > RHNS-CA-CERT 2. replace cert or point up2date at invalid one 3. run up2date -l Actual Results: Stack trace Expected Results: A nice error message should be printed
Created attachment 94063 [details] Patch to handle exception on import This handles the exception at the outermost level of up2date.
Thanks for the patch. I think I fixed this by rearraging some of the module imports so ssl errors dont happen when importing repoDirector. The old ssl error catching code seems to work with the new org. 3.9.19 should have it, if not 3.9.21 at least does.
[root@enki rhn]# rpm -q up2date up2date-4.1.14-2 [root@enki rhn]# grep CA up2date sslCACert[comment]=The CA cert used to verify the ssl server sslCACert=/usr/share/rhn/RHNS-CA-CERT.b0rk [root@enki rhn]# up2date -l There was an SSL error: [] A common cause of this error is the system time being incorrect. Verify that the time on this system is correct.