Comment 13 for bug 1424549

OK. I'll set this bug to "Confirmed" since it affects multiple users. But we won't be able to move forward on this bug unless we can triage this enough to determine why [in some circumstances] pollinate can't validate what appears to be a perfectly good certificate.

I suppose it could be a 'curl' issue. Perhaps if we can find out the exact 'curl' command pollinate is running, we can narrow it down. From what I understood from the logs, could you please try comparing the output from the following two commands:

curl -v --cacert /etc/pollinate/entropy.ubuntu.com.pem \
    --capath /dev/null https://entropy.ubuntu.com/

curl --insecure -v --cacert /etc/pollinate/entropy.ubuntu.com.pem \
    --capath /dev/null https://entropy.ubuntu.com/

It could be useful to get a packet capture from curl and/or pollinate (so we can see the certificates present in the TLS headers), if we have reason to believe they would be different from your OpenSSL output.

The other question to ask is: what images URL are you using, and which subset of images are you working with? (I assumed you were using the default URL and deploying amd64 images.)

I can only reproduce this bug if I edit /etc/pollinate/entropy.ubuntu.com.pem and remove a subset of the trusted certificates.

But here's the other curious part [in my output]:

* Server certificate:
* subject: OU=Domain Control Validated; CN=entropy.ubuntu.com
* start date: 2014-10-14 23:21:25 GMT
* expire date: 2015-10-15 16:10:53 GMT
* subjectAltName: entropy.ubuntu.com matched
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify ok.

It looks like the certificate is due to expire *tomorrow*. Which might mean two things:
 - A clock skew could cause the certificate not to validate
 - If the certificate has been updated, perhaps the trusted CA in /etc/pollinate/entropy.ubuntu.com.pem needs to be updated as well.