Bug 1659132 - Incorrect location used for system certs
Summary: Incorrect location used for system certs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-certifi
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: William Moreno
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-13 16:20 UTC by John Dennis
Modified: 2019-04-03 18:50 UTC (History)
3 users (show)

Fixed In Version: python-certifi-2018.10.15-3.fc28 python-certifi-2018.10.15-3.fc29 python-certifi-2018.10.15-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-28 08:11:18 UTC
Type: Bug


Attachments (Terms of Use)

Description John Dennis 2018-12-13 16:20:50 UTC
The certifi patch to use the system certs uses this pathname:

/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Anything under /etc/pki/ca-trust is "private" for use by the ca-trust subsystem as a ca-trust implementation detail. The ca-trust subsystem is free to change it's implementation because the "public" access to the certs is accessed through the (Red Hat) standardized /etc/pki/tls/certs directory via symlinks. Likewise the symlinks provide freedom to have a package other than ca-trust manage system certs.

FYI, the python-requests patch correctly points to:

/etc/pki/tls/certs/ca-bundle.crt

This is documented in the update-ca-certs man page.

Granted, it is true that currently /etc/pki/tls/certs/ca-bundle.crt is symlinked to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem but that is meant to provide an abstraction for system certs much like how the alternatives package works or how we symlink major versions of the python interpreter to explicit versions.

where() should return /etc/pki/tls/certs/ca-bundle.crt

The variable f is no longer referenced and it is meaningless to call os.path.join() with a single argument. The original patch should have just removed that code.

Comment 1 John Dennis 2018-12-13 16:28:51 UTC
pull request created
https://src.fedoraproject.org/rpms/python-certifi/pull-request/2

Comment 2 Fedora Update System 2018-12-13 17:23:27 UTC
python-certifi-2018.10.15-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-baf220b7a8

Comment 3 Fedora Update System 2018-12-13 17:31:14 UTC
python-certifi-2018.10.15-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a58f4729b3

Comment 4 Fedora Update System 2018-12-13 17:38:40 UTC
python-certifi-2018.10.15-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b20c4bc609

Comment 5 Fedora Update System 2018-12-15 03:19:37 UTC
python-certifi-2018.10.15-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b20c4bc609

Comment 6 Fedora Update System 2018-12-28 08:11:18 UTC
python-certifi-2018.10.15-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2018-12-28 09:02:16 UTC
python-certifi-2018.10.15-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Petr Viktorin 2019-01-03 17:05:25 UTC
A BuildRequires for the old path still remains in the spec file:

# Force requeriments to this file provides vi the ca-certificates
# any change to this file path will make the build file and avoid
# a broken symlink in the rpm.
BuildRequires:  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

IMO that should be changed to:

# Require the system certificate bundle (/etc/pki/tls/certs/ca-bundle.crt)
BuildRequires: ca-certificates

Comment 10 Fedora Update System 2019-03-12 16:33:15 UTC
python3-zope-event-4.2.0-3.el7 python3-zope-interface-4.3.3-4.el7 python-aiosmtpd-1.0-3.el7 python-arrow-0.8.0-4.el7 python-asn1crypto-0.24.0-7.el7 python-astroid-1.4.9-3.el7 python-atpublic-0.5-2.el7 python-attrs-17.4.0-4.el7 python-backports_abc-0.5-2.el7 python-bitarray-0.8.3-2.el7 python-blessed-1.14.1-3.el7 python-blosc-1.2.8-5.el7 python-bottle-0.12.13-2.el7 python-breathe-4.2.0-4.el7 python-bsddb3-6.2.6-4.el7 python-cached_property-1.5.1-2.el7 python-camel-0.1.2-2.el7 python-catkin-sphinx-0.2.2-3.el7 python-certifi-2018.10.15-4.el7 python-chai-1.1.1-5.el7 python-click-6.7-8.el7 python-clyent-1.2.2-3.el7 python-collada-0.4-16.el7 python-colorclass-2.2.0-3.el7 python-contextlib2-0.5.1-3.el7 python-cookies-2.2.1-8.el7 python-cov-core-1.15.0-9.el7 python-crypto-2.6.1-16.el7 python-cytoolz-0.9.0.1-4.el7 python-datadog-0.23.0-3.el7 python-ddt-1.1.3-2.el7 python-defusedxml-0.5.0-2.el7 python-distlib-0.2.7-3.el7 python-distutils-extra-2.39-8.el7 python-dockerpty-0.4.1-10.el7 python-docopt-0.6.2-8.el7 python-easyargs-0.9.4-3.el7 python-easygui-0.96-20.el7 python-ecdsa-0.13-10.el7 python-empy-3.3.3-2.el7 python-enlighten-1.1.0-2.el7 python-execnet-1.2.0-7.el7 python-falcon-1.4.1-2.el7 python-flexmock-0.10.2-5.el7 python-flufl-bounce-2.3-6.el7 python-flufl-i18n-1.1.3-6.el7 python-flufl-lock-2.4.1-6.el7 python-flufl-testing-0.4-6.el7 python-freezegun-0.1.19-2.el7 python-gammu-2.11-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-0d62608bce

Comment 11 Fedora Update System 2019-03-12 22:42:43 UTC
python-aiosmtpd-1.0-3.el7, python-arrow-0.8.0-4.el7, python-asn1crypto-0.24.0-7.el7, python-astroid-1.4.9-3.el7, python-atpublic-0.5-2.el7, python-attrs-17.4.0-4.el7, python-backports_abc-0.5-2.el7, python-bitarray-0.8.3-2.el7, python-blessed-1.14.1-3.el7, python-blosc-1.2.8-5.el7, python-bottle-0.12.13-2.el7, python-breathe-4.2.0-4.el7, python-bsddb3-6.2.6-4.el7, python-cached_property-1.5.1-2.el7, python-camel-0.1.2-2.el7, python-catkin-sphinx-0.2.2-3.el7, python-certifi-2018.10.15-4.el7, python-chai-1.1.1-5.el7, python-click-6.7-8.el7, python-clyent-1.2.2-3.el7, python-collada-0.4-16.el7, python-colorclass-2.2.0-3.el7, python-contextlib2-0.5.1-3.el7, python-cookies-2.2.1-8.el7, python-cov-core-1.15.0-9.el7, python-crypto-2.6.1-16.el7, python-cytoolz-0.9.0.1-4.el7, python-datadog-0.23.0-3.el7, python-ddt-1.1.3-2.el7, python-defusedxml-0.5.0-2.el7, python-distlib-0.2.7-3.el7, python-distutils-extra-2.39-8.el7, python-dockerpty-0.4.1-10.el7, python-docopt-0.6.2-8.el7, python-easyargs-0.9.4-3.el7, python-easygui-0.96-20.el7, python-ecdsa-0.13-10.el7, python-empy-3.3.3-2.el7, python-enlighten-1.1.0-2.el7, python-execnet-1.2.0-7.el7, python-falcon-1.4.1-2.el7, python-flexmock-0.10.2-5.el7, python-flufl-bounce-2.3-6.el7, python-flufl-i18n-1.1.3-6.el7, python-flufl-lock-2.4.1-6.el7, python-flufl-testing-0.4-6.el7, python-freezegun-0.1.19-2.el7, python-gammu-2.11-3.el7, python3-zope-event-4.2.0-3.el7, python3-zope-interface-4.3.3-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-0d62608bce

Comment 12 Fedora Update System 2019-04-03 18:50:43 UTC
python-aiosmtpd-1.0-3.el7, python-arrow-0.8.0-4.el7, python-asn1crypto-0.24.0-7.el7, python-astroid-1.4.9-3.el7, python-atpublic-0.5-2.el7, python-attrs-17.4.0-4.el7, python-backports_abc-0.5-2.el7, python-bitarray-0.8.3-2.el7, python-blessed-1.14.1-3.el7, python-blosc-1.2.8-5.el7, python-bottle-0.12.13-2.el7, python-breathe-4.2.0-4.el7, python-bsddb3-6.2.6-4.el7, python-cached_property-1.5.1-2.el7, python-camel-0.1.2-2.el7, python-catkin-sphinx-0.2.2-3.el7, python-certifi-2018.10.15-4.el7, python-chai-1.1.1-5.el7, python-click-6.7-8.el7, python-clyent-1.2.2-3.el7, python-collada-0.4-16.el7, python-colorclass-2.2.0-3.el7, python-contextlib2-0.5.1-3.el7, python-cookies-2.2.1-8.el7, python-cov-core-1.15.0-9.el7, python-crypto-2.6.1-16.el7, python-cytoolz-0.9.0.1-4.el7, python-datadog-0.23.0-3.el7, python-ddt-1.1.3-2.el7, python-defusedxml-0.5.0-2.el7, python-distlib-0.2.7-3.el7, python-distutils-extra-2.39-8.el7, python-dockerpty-0.4.1-10.el7, python-docopt-0.6.2-8.el7, python-easyargs-0.9.4-3.el7, python-easygui-0.96-20.el7, python-ecdsa-0.13-10.el7, python-empy-3.3.3-2.el7, python-enlighten-1.1.0-2.el7, python-execnet-1.2.0-7.el7, python-falcon-1.4.1-2.el7, python-flexmock-0.10.2-5.el7, python-flufl-bounce-2.3-6.el7, python-flufl-i18n-1.1.3-6.el7, python-flufl-lock-2.4.1-6.el7, python-flufl-testing-0.4-6.el7, python-freezegun-0.1.19-2.el7, python-gammu-2.11-3.el7, python3-zope-event-4.2.0-3.el7, python3-zope-interface-4.3.3-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.