Comment 16 for bug 614713

What does nss means by "doesn't know" the issuer ? bzr provides its own ! :-}

It's quite hard to debug without being able to reproduce but if you want to give it a try here are some hints:

- for tests, pycurl uses a special (transport, server) permutations (from get_tests_permutations() in bzrlib/transport/http/_pycurl.py and add a specific 'ca.crt' (generated for tests in bzrlib/tests/ssl_certs)

- the https server is defined in bzrlib/tests/https_server.py, all https test servers use a special certificate and and key (also from ssl_certs)

http://curl.haxx.se/libcurl/c/curl_easy_setopt.html seems doesn't match my memory, may be things have changed since I wrote.maintained the code.

The code use self.cabundle to set pycurl.CAINFO (originally for windows, later on for tests too). But reading the doc now, I wonder if CURLOPT_ISSUERCERT (aka pycurl.ISSUERCERT) should be used instead for *tests* (I think windows still needs to use CAINFO but I may be wrong).

I think the issue is different enough to file a new bug to continue the discussion.

We may also try to chat on IRC to compare our configs and see if I can reproduce the issue locally.