Bug 1142376 - pulp.bindings.server.DEFAULT_CA_PATH does not point to a valid certificate pack
Summary: pulp.bindings.server.DEFAULT_CA_PATH does not point to a valid certificate pack
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Pulp
Classification: Retired
Component: API/integration
Version: 2.4.0
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
: 2.6.0
Assignee: Chris Duryee
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-09-16 16:24 UTC by Randy Barlow
Modified: 2015-02-28 22:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-28 22:20:41 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Pulp Redmine 531 0 None None None Never

Description Randy Barlow 2014-09-16 16:24:50 UTC
Description of problem:
pulp.bindings.server.DEFAULT_CA_PATH is set to '/etc/pki/tls/certs/' when it should be set to '/etc/pki/tls/certs/ca-bundle.crt'. This means that the bindings will not work with real root certificates unless the user explicitly sets the PulpConnection's ca_path __init__ parameter explicitly.

Version-Release number of selected component (if applicable):
2.4.0-1

How reproducible:
Every time

Steps to Reproduce:
1. Use the Pulp bindings to make a connection to a server that is using an SSL certificate that is signed by a CA that you have installed into /etc/pki/tls/certs/ca-bundle.crt, but do not pass the ca_path parameter to PulpConnection.__init__().

Actual results:
You should see an SSL trust failure raised from M2Crypto.

Expected results:
By default, we should work with root certificates installed at /etc/pki/tls/certs/ca-bundle.crt with no additional configuration.

Comment 1 Chris Duryee 2014-09-19 18:06:13 UTC
https://github.com/pulp/pulp/pull/1167

Comment 2 Chris Duryee 2014-09-22 18:55:53 UTC
merged to 2.5-dev and master

Comment 3 Chris Duryee 2014-12-23 20:52:26 UTC
fixed in pulp 2.6.0-0.2.beta

Comment 4 Preethi Thomas 2015-02-04 14:50:53 UTC
verified
Default in server.conf is
[database]

# verify_ssl: true
# ca_path: /etc/pki/tls/certs/ca-bundle.crt

Comment 5 Brian Bouterse 2015-02-28 22:20:41 UTC
Moved to https://pulp.plan.io/issues/531


Note You need to log in before you can comment on or make changes to this bug.