[bug?] launchpad and pycurl

Andrew Bennetts andrew at canonical.com
Mon Jan 29 08:34:49 GMT 2007

Alexander Belchenko wrote:
> Hash: SHA1
> I just discover that any trunk branch of product registered on Launchpad
> could be retrieved by using URL to launchpad page. I.e.
> bzr branch http://launchpad.net/bzr-config
> But there is problem with pycurl:
> $ bzr branch https://launchpad.net/bzr-config
> bzr: ERROR: pycurl.error: (60, 'SSL certificate problem, verify that the CA cert is OK.
> Details:\nerror:14090086:SSL
>  routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed')
> Traceback (most recent call last):
> error: (60, 'SSL certificate problem, verify that the CA cert is OK. Details:\nerror:14090086:SSL
> routines:SSL3_GET_
> SERVER_CERTIFICATE:certificate verify failed')
> What's wrong here? Is this bug in pycurl itself?

There's certainly a bug in bzr here — pycurl thinks there's something wrong with
the SSL certificate of the server, which is a legitimate sort of error for an
SSL client to report, so it shouldn't cause a traceback.  That is, it ought to
produce a human-friendly error explaining what's wrong.  I've filed
https://bugs.launchpad.net/bzr/+bug/82086 about this.

There's arguably a seperate bug in pycurl, which is that the error message in
the exception is hardly helpful.  If you google for "curl 14090086" you quickly
find http://curl.haxx.se/docs/faq.html#4.12 which explains in plain English
what's actually wrong.  You'd think they could use that text to improve the
hopelessly vague "SSL certificate problem, verify that the CA cert is OK"
message.  bzr could check the error code and give a more precise message for
this case to workaround this, though.

In your case, Launchpad's certificate is apparently signed by
http://www.starfieldtech.com/ (just looking at the details my web browser
reports when surfing https://launchpad.net/), so I'd guess the problem for you
is that the curl installation you're using doesn't include their CA cert.  The
FAQ link above links to http://curl.haxx.se/docs/sslcerts.html, which suggests
ways to tell the curl library about more CA certs.


More information about the bazaar mailing list