Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 454129 - CA certificate missing for launchpad, bzr fails
Summary: CA certificate missing for launchpad, bzr fails
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 9
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-05 05:29 UTC by Gene Czarcinski
Modified: 2008-07-05 19:29 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-05 19:29:35 UTC


Attachments (Terms of Use)

Description Gene Czarcinski 2008-07-05 05:29:01 UTC
Description of problem:

bzr launchpad-login xxxx failes with:

pycurl.error: (60, 'Peer certificate cannot be authenticated with known CA
certificates')

In Fedora 9, the python-pycurl package was added to the required for bzr.

If python-pycurl is not installed, bzr works but does not authenticate
launchpad's certificate.  The situation was also true in Fedora 8, but, with no
python-pycurl package, bzr worked.

Rather than using bzr, the situation/problem can be tested with:

python /usr/lib64/python2.5/site-packages/curl/__init__.py

Using https://launchpad.net fails

Using https://www.redhat.com works

When I first reported this to bzr bugs https://bugs.launchpad.net/bugs/245634
another user claimed that the problem was fixed on debian by installing their
ca-certificates package: 
http://packages.debian.org/unstable/misc/ca-certificates

This tells me that debian has the right CA cert but Fedora does not.

This is impacting my ability to use bsr since I must identify myself
(launchpad-login) to be able to "push" files up to launchpad.


Version-Release number of selected component (if applicable):
Fedora 9, openssl-0.9.8g-9.fc9

How reproducible:
yes

Comment 1 Gene Czarcinski 2008-07-05 13:51:19 UTC
I believe that I have some proof that the bzr problem with https://launchpad.net
 is a missing CA cert.  First, I installed "curl" to have a nice command line
interface.

1. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://www.redhat.com
result: html

2. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://launchpad.net
result: curl: (60) Peer certificate cannot be authenticated ...
-----------------------------------------------------
get new cacert.pem from http://curl.haxx.se/docs/caextract.html
[curl website]
-----------------------------------------------------
3. run: curl --cacert ./cacert https://www.redhat.com
result: html

4. run: curl --cacert ./cacert https://launchpad.net
result: html ... looking good!
-----------------------------------------------------
This proves something but I am not sure what because if I copy the new
cacert.pem into /etc/pki/tls/certs/ and try to use it from there, redhat works
but launchpad does not.

OK, one more test:  copy /etc/pki/tls/certs/ca-bundle.crt to ./ [this is openssl's]

run curl --cacert ./ca-bundle.crt https://launchpad.net
result: html

I thought I had it but this now looks like it might be a problem with curl/libcurl.

I am going to open a problem with curl but will leave this one open for a while.

Anything helpful will be appreciated.


Comment 2 Gene Czarcinski 2008-07-05 19:29:35 UTC
This is looking more and more like libcurl so I am going to close this.

The real problem could still be something in openssl but it sure does not look
like it.  More info:
https://bugzilla.redhat.com/show_bug.cgi?id=454151


Note You need to log in before you can comment on or make changes to this bug.