Description of problem: bzr launchpad-login xxxx failes with: pycurl.error: (60, 'Peer certificate cannot be authenticated with known CA certificates') In Fedora 9, the python-pycurl package was added to the required for bzr. If python-pycurl is not installed, bzr works but does not authenticate launchpad's certificate. The situation was also true in Fedora 8, but, with no python-pycurl package, bzr worked. Rather than using bzr, the situation/problem can be tested with: python /usr/lib64/python2.5/site-packages/curl/__init__.py Using https://launchpad.net fails Using https://www.redhat.com works When I first reported this to bzr bugs https://bugs.launchpad.net/bugs/245634 another user claimed that the problem was fixed on debian by installing their ca-certificates package: http://packages.debian.org/unstable/misc/ca-certificates This tells me that debian has the right CA cert but Fedora does not. This is impacting my ability to use bsr since I must identify myself (launchpad-login) to be able to "push" files up to launchpad. Version-Release number of selected component (if applicable): Fedora 9, openssl-0.9.8g-9.fc9 How reproducible: yes
I believe that I have some proof that the bzr problem with https://launchpad.net is a missing CA cert. First, I installed "curl" to have a nice command line interface. 1. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://www.redhat.com result: html 2. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://launchpad.net result: curl: (60) Peer certificate cannot be authenticated ... ----------------------------------------------------- get new cacert.pem from http://curl.haxx.se/docs/caextract.html [curl website] ----------------------------------------------------- 3. run: curl --cacert ./cacert https://www.redhat.com result: html 4. run: curl --cacert ./cacert https://launchpad.net result: html ... looking good! ----------------------------------------------------- This proves something but I am not sure what because if I copy the new cacert.pem into /etc/pki/tls/certs/ and try to use it from there, redhat works but launchpad does not. OK, one more test: copy /etc/pki/tls/certs/ca-bundle.crt to ./ [this is openssl's] run curl --cacert ./ca-bundle.crt https://launchpad.net result: html I thought I had it but this now looks like it might be a problem with curl/libcurl. I am going to open a problem with curl but will leave this one open for a while. Anything helpful will be appreciated.
This is looking more and more like libcurl so I am going to close this. The real problem could still be something in openssl but it sure does not look like it. More info: https://bugzilla.redhat.com/show_bug.cgi?id=454151