autoregistration fails when server has a non-trusted cert
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Landscape Client |
Fix Released
|
High
|
Chad Smith |
Bug Description
2012-03-06 22:52:04,510 ERROR [PoolThread-
ver at https:/
Traceback (most recent call last):
File "/usr/lib/
curly, data = self._curl(
File "/usr/lib/
headers=
File "/usr/lib/
raise PyCurlError(
PyCurlError: Error 60: server certificate verification failed. CAfile: /etc/ssl/
ates.crt CRLfile: none
root@ubuntu:~# wget -q -O - --no-check-
{"custom_ca_cert": "base64: LS0tLS1CRUdJTiB
Notice when retrieving the custom ca cert from the server it's not trusted (I think that is the point of retrieving it). But, I'm getting redirected through an https (rewrite rule, I'm guessing):
root@ubuntu:~# wget http://
--2012-03-06 23:26:38-- http://
Resolving landscape.local... 107.21.155.73
Connecting to landscape.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https:/
--2012-03-06 23:26:38-- https:/
Resolving ec2-107-
Connecting to ec2-107-
ERROR: cannot verify ec2-107-
Self-signed certificate encountered.
To connect to ec2-107-
Looking at the code in that stack trace, there is no special accomodation to retrieve this certificate while ignore certificate validation.
I guess either the rewrite rule needs to be modified, or the pycurl attempt needs to have an option set.
Related branches
- Mike Milner (community): Approve
- Alberto Donato (community): Approve
-
Diff: 114 lines (+30/-6)4 files modifiedlandscape/configuration.py (+1/-1)
landscape/lib/fetch.py (+7/-1)
landscape/lib/tests/test_fetch.py (+18/-0)
landscape/tests/test_configuration.py (+4/-4)
Changed in landscape-client: | |
status: | New → In Progress |
assignee: | nobody → Chad Smith (chad.smith) |
Changed in landscape-client: | |
status: | In Progress → Fix Committed |
Changed in landscape-client: | |
status: | Fix Committed → Fix Released |
Thanks DPB for quick triage and assessment of the fix. here. Per our IRC discussions, looks like we need to ensure pycurl will ignore invalid CA certs during the cert pull otherwise we get redirected to https:// and everything falls apart.