Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1357906 - repoman does not use system SSL trust store
Summary: repoman does not use system SSL trust store
Keywords:
Status: NEW
Alias: None
Product: Repoman
Classification: Community
Component: Core
Version: 1.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: 1.3
Assignee: Anton Marchukov
QA Contact: Eyal Edri
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-19 14:42 UTC by Anton Marchukov
Modified: 2016-07-19 14:43 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Anton Marchukov 2016-07-19 14:42:06 UTC
Description of problem:

Repoman now uses requests library for HTTP. This library does not use system SSL certificates bundle unless this is explicitly configured:

http://docs.python-requests.org/en/master/user/advanced/?highlight=ssl#ssl-cert-verification

Due to this repoman fails with SSL verification error when downloading from HTTPS links that use certificates signed by local CAs even if those CAs are in system trust store.

As a short fix it is possible to define (e.g. on EL systems):

export REQUESTS_CA_BUNDLE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

that specify the requests library to use system SSL bundle. But ideally repoman should do that configuration when it initializes the library.


Note You need to log in before you can comment on or make changes to this bug.