Bugs item #2011303, was opened at 2008-07-05 11:17
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2011303&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Gene Czarcinski (geneczarcinski)
Assigned to: Daniel Stenberg (bagder)
Summary: CA certificate "missing" for launchpad, bzr fails

Initial Comment:
System: x86_64, Fedora 9, last updated 7/4/2008

Downstream reports:
https://bugzilla.redhat.com/show_bug.cgi?id=454151
https://bugs.launchpad.net/bugs/245634

The basic problem is that I am trying to do:
   bzr launchpad-login gene-czarc
and it fails with:
curl: (60) Peer certificate cannot be authenticated ...

To check verify certificates, bzr uses pycurl which, in turn, uses libcurl. I have been tracking down through the code (I am not very good at python) as well as assuming that the CA cert was missing.
----------------------------------------------------
Here are the results of my latest testing:

First, I installed "curl" to have a nice command line
interface.

1. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://www.redhat.com
or run: curl https://www/redhat/com
both results: html

2. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://launchpad.net
or run: curl https//launchpad.net
both results: curl: (60) Peer certificate cannot be authenticated ...
-----------------------------------------------------
get new cacert.pem from http://curl.haxx.se/docs/caextract.html
[curl website] ... I was assuming that a cert was missing
-----------------------------------------------------
3. run: curl --cacert ./cacert.pem https://www.redhat.com
result: html

4. run: curl --cacert ./cacert.pem https://launchpad.net
result: html ... looking good!
-----------------------------------------------------
This proves something but I am not sure what because if I copy the new cacert.pem into /etc/pki/tls/certs/ and try to use it from there, redhat works
but launchpad does not.
-------------------------------------------------
OK, one more test: copy /etc/pki/tls/certs/ca-bundle.crt to ./ [this is openssl's]

run curl --cacert ./ca-bundle.crt https://launchpad.net
result: html

So, this tells me that the CA cert has benn there all along!
-------------------------------------------------------
I have not looked into the libcurl code itself.

However, from the curl.spec in the src.rpm, the configuration looks good:
  --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt

but then there is this:

run: curl-config --ca
result: @CURL_CA_BUNDLE@

Oh, I also tried using an environment setting:

export CURL_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
bzr launchpad-login gene-czarc
fails again.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2011303&group_id=976
Received on 2008-07-05