What does nss means by "doesn't know" the issuer ? bzr provides its own ! :-}
It's quite hard to debug without being able to reproduce but if you want to give it a try here are some hints:
- for tests, pycurl uses a special (transport, server) permutations (from get_tests_permutations() in bzrlib/transport/http/_pycurl.py and add a specific 'ca.crt' (generated for tests in bzrlib/tests/ssl_certs)
- the https server is defined in bzrlib/tests/https_server.py, all https test servers use a special certificate and and key (also from ssl_certs)
The code use self.cabundle to set pycurl.CAINFO (originally for windows, later on for tests too). But reading the doc now, I wonder if CURLOPT_ISSUERCERT (aka pycurl.ISSUERCERT) should be used instead for *tests* (I think windows still needs to use CAINFO but I may be wrong).
I think the issue is different enough to file a new bug to continue the discussion.
We may also try to chat on IRC to compare our configs and see if I can reproduce the issue locally.
What does nss means by "doesn't know" the issuer ? bzr provides its own ! :-}
It's quite hard to debug without being able to reproduce but if you want to give it a try here are some hints:
- for tests, pycurl uses a special (transport, server) permutations (from get_tests_ permutations( ) in bzrlib/ transport/ http/_pycurl. py and add a specific 'ca.crt' (generated for tests in bzrlib/ tests/ssl_ certs)
- the https server is defined in bzrlib/ tests/https_ server. py, all https test servers use a special certificate and and key (also from ssl_certs)
http:// curl.haxx. se/libcurl/ c/curl_ easy_setopt. html seems doesn't match my memory, may be things have changed since I wrote.maintained the code.
The code use self.cabundle to set pycurl.CAINFO (originally for windows, later on for tests too). But reading the doc now, I wonder if CURLOPT_ISSUERCERT (aka pycurl.ISSUERCERT) should be used instead for *tests* (I think windows still needs to use CAINFO but I may be wrong).
I think the issue is different enough to file a new bug to continue the discussion.
We may also try to chat on IRC to compare our configs and see if I can reproduce the issue locally.