Debian/Ubuntu system wide CA certificate file doesn't seem to be used
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-neutronclient |
Expired
|
Wishlist
|
Unassigned |
Bug Description
When a CA certificate is added to the OS bundle on Debian/Ubuntu using 'update-
new system wide cert is not used by python-
If you create a CA certificate and add it to the default locations by copying it to /usr/local/
For example curl:
1) before running update-
$ curl https:/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://
2) after running update-
$ curl https:/
{"versions": [{"status": "CURRENT", "updated": "2012-01-
although pointing directly to the CA file does work:
$ neutron --os-cacert /etc/ssl/
+------
| id | name | external_
+------
| d3790a7b-
+------
after update-
$ neutron router-list
SSL certificate validation has failed: [Errno 1] _ssl.c:509: error:14090086:SSL routines:
Changed in python-neutronclient: | |
assignee: | nobody → Tomohiro Takata (t-takata) |
Is there an official location for a single file version of CA cert? certs/ca- certificates. crt in Ubuntu and /etc/pki/ tls/certs/ ca-bundle. crt in RHEL.
If the location varies across distributions, we (the upstream developer) cannot know which location is good.
AFAIK, it is /etc/ssl/
In the case of "curl", the location of the system-wide cert file is specified when curl debian package is compiled.
How about other openstack CLI command like novaclient?
If they support it, any pointer would be appreciated.
Any suggestions?
The easiest way is to specify OS_CERT environment variables.