OK. I'll set this bug to "Confirmed" since it affects multiple users. But we won't be able to move forward on this bug unless we can triage this enough to determine why [in some circumstances] pollinate can't validate what appears to be a perfectly good certificate.
I suppose it could be a 'curl' issue. Perhaps if we can find out the exact 'curl' command pollinate is running, we can narrow it down. From what I understood from the logs, could you please try comparing the output from the following two commands:
It could be useful to get a packet capture from curl and/or pollinate (so we can see the certificates present in the TLS headers), if we have reason to believe they would be different from your OpenSSL output.
The other question to ask is: what images URL are you using, and which subset of images are you working with? (I assumed you were using the default URL and deploying amd64 images.)
I can only reproduce this bug if I edit /etc/pollinate/entropy.ubuntu.com.pem and remove a subset of the trusted certificates.
It looks like the certificate is due to expire *tomorrow*. Which might mean two things:
- A clock skew could cause the certificate not to validate
- If the certificate has been updated, perhaps the trusted CA in /etc/pollinate/entropy.ubuntu.com.pem needs to be updated as well.
OK. I'll set this bug to "Confirmed" since it affects multiple users. But we won't be able to move forward on this bug unless we can triage this enough to determine why [in some circumstances] pollinate can't validate what appears to be a perfectly good certificate.
I suppose it could be a 'curl' issue. Perhaps if we can find out the exact 'curl' command pollinate is running, we can narrow it down. From what I understood from the logs, could you please try comparing the output from the following two commands:
curl -v --cacert /etc/pollinate/ entropy. ubuntu. com.pem \ /entropy. ubuntu. com/
--capath /dev/null https:/
curl --insecure -v --cacert /etc/pollinate/ entropy. ubuntu. com.pem \ /entropy. ubuntu. com/
--capath /dev/null https:/
It could be useful to get a packet capture from curl and/or pollinate (so we can see the certificates present in the TLS headers), if we have reason to believe they would be different from your OpenSSL output.
The other question to ask is: what images URL are you using, and which subset of images are you working with? (I assumed you were using the default URL and deploying amd64 images.)
I can only reproduce this bug if I edit /etc/pollinate/ entropy. ubuntu. com.pem and remove a subset of the trusted certificates.
But here's the other curious part [in my output]:
* Server certificate: ubuntu. com certs.godaddy. com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* subject: OU=Domain Control Validated; CN=entropy.
* start date: 2014-10-14 23:21:25 GMT
* expire date: 2015-10-15 16:10:53 GMT
* subjectAltName: entropy.ubuntu.com matched
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://
* SSL certificate verify ok.
It looks like the certificate is due to expire *tomorrow*. Which might mean two things: entropy. ubuntu. com.pem needs to be updated as well.
- A clock skew could cause the certificate not to validate
- If the certificate has been updated, perhaps the trusted CA in /etc/pollinate/