454129 – CA certificate missing for launchpad, bzr fails

Bug 454129 - CA certificate missing for launchpad, bzr fails

Summary: CA certificate missing for launchpad, bzr fails

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssl
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-07-05 05:29 UTC by Gene Czarcinski
Modified:	2008-07-05 19:29 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-07-05 19:29:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Gene Czarcinski 2008-07-05 05:29:01 UTC

Description of problem:

bzr launchpad-login xxxx failes with:

pycurl.error: (60, 'Peer certificate cannot be authenticated with known CA
certificates')

In Fedora 9, the python-pycurl package was added to the required for bzr.

If python-pycurl is not installed, bzr works but does not authenticate
launchpad's certificate.  The situation was also true in Fedora 8, but, with no
python-pycurl package, bzr worked.

Rather than using bzr, the situation/problem can be tested with:

python /usr/lib64/python2.5/site-packages/curl/__init__.py

Using https://launchpad.net fails

Using https://www.redhat.com works

When I first reported this to bzr bugs https://bugs.launchpad.net/bugs/245634
another user claimed that the problem was fixed on debian by installing their
ca-certificates package: 
http://packages.debian.org/unstable/misc/ca-certificates

This tells me that debian has the right CA cert but Fedora does not.

This is impacting my ability to use bsr since I must identify myself
(launchpad-login) to be able to "push" files up to launchpad.


Version-Release number of selected component (if applicable):
Fedora 9, openssl-0.9.8g-9.fc9

How reproducible:
yes

Comment 1 Gene Czarcinski 2008-07-05 13:51:19 UTC

I believe that I have some proof that the bzr problem with https://launchpad.net
 is a missing CA cert.  First, I installed "curl" to have a nice command line
interface.

1. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://www.redhat.com
result: html

2. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://launchpad.net
result: curl: (60) Peer certificate cannot be authenticated ...
-----------------------------------------------------
get new cacert.pem from http://curl.haxx.se/docs/caextract.html
[curl website]
-----------------------------------------------------
3. run: curl --cacert ./cacert https://www.redhat.com
result: html

4. run: curl --cacert ./cacert https://launchpad.net
result: html ... looking good!
-----------------------------------------------------
This proves something but I am not sure what because if I copy the new
cacert.pem into /etc/pki/tls/certs/ and try to use it from there, redhat works
but launchpad does not.

OK, one more test:  copy /etc/pki/tls/certs/ca-bundle.crt to ./ [this is openssl's]

run curl --cacert ./ca-bundle.crt https://launchpad.net
result: html

I thought I had it but this now looks like it might be a problem with curl/libcurl.

I am going to open a problem with curl but will leave this one open for a while.

Anything helpful will be appreciated.

Comment 2 Gene Czarcinski 2008-07-05 19:29:35 UTC

This is looking more and more like libcurl so I am going to close this.

The real problem could still be something in openssl but it sure does not look
like it.  More info:
https://bugzilla.redhat.com/show_bug.cgi?id=454151

Note You need to log in before you can comment on or make changes to this bug.