python-novaclient

Debian/Ubuntu system wide CA certificate file doesn't seem to be used

Bug #1307592 reported by Stuart McLaren
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-novaclient
Confirmed
Wishlist
Unassigned

Bug Description

If you create a CA certificate and add it to the default locations by copying it to /usr/local/share/ca-certificates/ and running 'update-ca-certificates' it should be picked up by anything using openssl.

For example curl:

1) before running update-ca-certificates:

 $ curl https://192.0.2.254:13776
 curl: (60) SSL certificate problem: unable to get local issuer certificate
 More details here: http://curl.haxx.se/docs/sslcerts.html

2) after running update-ca-certificates:

$ curl https://192.0.2.254:13776
{"versions": [{"status": "CURRENT", "updated": "2012-01-04T11:33:21Z", "id": "v1.0", "links": [{"href": "http://192.0.2.254:13776/v1/", "rel": "self"}]}, {"status": "CURRENT", "updated": "2012-11-21T11:33:21Z", "id": "v2.0", "links": [{"href": "http://192.0.2.254:13776/v2/", "rel": "self"}]}]}

although pointing directly to the CA file does work:

$ nova --os-cacert /etc/ssl/from-heat-ca.crt list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+

after update-ca-certificates has been run the CA cert is not picked up automatically from the system-wide location:

$ nova list
ERROR (SSLError): [Errno 1] _ssl.c:509: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

melanie witt (melwitt)
Changed in python-novaclient:
importance: Undecided → Wishlist
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.