Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 454129

Summary: CA certificate missing for launchpad, bzr fails
Product: [Fedora] Fedora Reporter: Gene Czarcinski <gczarcinski>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-05 19:29:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Gene Czarcinski 2008-07-05 05:29:01 UTC
Description of problem:

bzr launchpad-login xxxx failes with:

pycurl.error: (60, 'Peer certificate cannot be authenticated with known CA
certificates')

In Fedora 9, the python-pycurl package was added to the required for bzr.

If python-pycurl is not installed, bzr works but does not authenticate
launchpad's certificate.  The situation was also true in Fedora 8, but, with no
python-pycurl package, bzr worked.

Rather than using bzr, the situation/problem can be tested with:

python /usr/lib64/python2.5/site-packages/curl/__init__.py

Using https://launchpad.net fails

Using https://www.redhat.com works

When I first reported this to bzr bugs https://bugs.launchpad.net/bugs/245634
another user claimed that the problem was fixed on debian by installing their
ca-certificates package: 
http://packages.debian.org/unstable/misc/ca-certificates

This tells me that debian has the right CA cert but Fedora does not.

This is impacting my ability to use bsr since I must identify myself
(launchpad-login) to be able to "push" files up to launchpad.


Version-Release number of selected component (if applicable):
Fedora 9, openssl-0.9.8g-9.fc9

How reproducible:
yes

Comment 1 Gene Czarcinski 2008-07-05 13:51:19 UTC
I believe that I have some proof that the bzr problem with https://launchpad.net
 is a missing CA cert.  First, I installed "curl" to have a nice command line
interface.

1. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://www.redhat.com
result: html

2. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://launchpad.net
result: curl: (60) Peer certificate cannot be authenticated ...
-----------------------------------------------------
get new cacert.pem from http://curl.haxx.se/docs/caextract.html
[curl website]
-----------------------------------------------------
3. run: curl --cacert ./cacert https://www.redhat.com
result: html

4. run: curl --cacert ./cacert https://launchpad.net
result: html ... looking good!
-----------------------------------------------------
This proves something but I am not sure what because if I copy the new
cacert.pem into /etc/pki/tls/certs/ and try to use it from there, redhat works
but launchpad does not.

OK, one more test:  copy /etc/pki/tls/certs/ca-bundle.crt to ./ [this is openssl's]

run curl --cacert ./ca-bundle.crt https://launchpad.net
result: html

I thought I had it but this now looks like it might be a problem with curl/libcurl.

I am going to open a problem with curl but will leave this one open for a while.

Anything helpful will be appreciated.


Comment 2 Gene Czarcinski 2008-07-05 19:29:35 UTC
This is looking more and more like libcurl so I am going to close this.

The real problem could still be something in openssl but it sure does not look
like it.  More info:
https://bugzilla.redhat.com/show_bug.cgi?id=454151