I can't https with selfsigned cert

Marius Kruger amanic at gmail.com
Thu Mar 8 14:45:02 UTC 2012 

hi guys, long time no see, hope all are well.

I'm running bzr.dev and today I realized that I can't connect over
https to our company server with it's selfsigned cert.
It *does* work with ssl.cert_reqs=none, but then I get 128 lines of
"Not checking SSL certificate for ourserver: 443"
when doing a nestedtree update (using bzr-externals) with 18 branches,
which is a bit annoying.
(128 is not an exaggeration, I did a |grep 443| wc -l)

I can easily enough patch it out, but then I tried installing the
selfsigned cert with the following helpful instructions:
http://mercurial.selenic.com/wiki/CACertificates#Self-signed_certificates

I tried putting the following in bazaar.conf:
ssl.ca_certs=/usr/share/ca-certificates/
or
ssl.ca_certs=/usr/share/ca-certificates/server.crt
where server.crt is the exported .pem certificate, I did try a couple
of formats but it didn't work.

btw. is it possible to set a directory that includes certs, or have a
comma-separated list of files?

This is the error I get:
SSLError: [Errno 1] _ssl.c:503: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I'm not sure if this is still work in progress or a mistake/ignorance
on my part.

full trace:
[14170] 2012-03-08 16:12:53.971 INFO:
See `bzr help ssl.ca_certs` for how to specify trusted CAcertificates.
Pass -Ossl.cert_reqs=none to disable certificate verification entirely.

0.474  Transferred: 0kB (0.0kB/s r:0kB w:0kB)
0.485  Traceback (most recent call last):
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/commands.py", line
930, in exception_to_return_code
    return the_callable(*args, **kwargs)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/commands.py", line
1141, in run_bzr
    ret = run(*run_argv)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/commands.py", line
673, in run_argv_aliases
    return self.run(**all_cmd_args)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/commands.py", line 697, in run
    return self._operation.run_simple(*args, **kwargs)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/cleanup.py", line
136, in run_simple
    self.cleanups, self.func, *args, **kwargs)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/cleanup.py", line
166, in _do_with_cleanups
    result = func(*args, **kwargs)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/builtins.py", line
1216, in run
    possible_transports=possible_transports)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/branch.py", line 185, in open
    possible_transports=possible_transports, _unsupported=_unsupported)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/controldir.py", line
689, in open
    _unsupported=_unsupported)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/controldir.py", line
718, in open_from_transport
    find_format, transport, redirected)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/__init__.py",
line 1718, in do_catching_redirections
    return action(transport)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/controldir.py", line
706, in find_format
    probers=probers)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/controldir.py", line
1151, in find_format
    return prober.probe_transport(transport)
  File "/home/amanica/.bazaar/plugins/svn/__init__.py", line 283, in
probe_transport
    dav_entries = dav_options(transport, url)
  File "/home/amanica/.bazaar/plugins/svn/__init__.py", line 192, in dav_options
    resp = transport._perform(req)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/http/_urllib.py",
line 76, in _perform
    response = self._opener.open(request)
  File "/usr/lib/python2.7/urllib2.py", line 394, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 412, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 372, in _call_chain
    result = func(*args)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/http/_urllib2_wrappers.py",
line 924, in https_open
    return self.do_open(HTTPSConnection, request)
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/http/_urllib2_wrappers.py",
line 808, in do_open
    headers)
  File "/usr/lib/python2.7/httplib.py", line 989, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 951, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 811, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 773, in send
    self.connect()
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/http/_urllib2_wrappers.py",
line 473, in connect
    self.connect_to_origin()
  File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/http/_urllib2_wrappers.py",
line 495, in connect_to_origin
    cert_reqs=cert_reqs, ca_certs=ca_certs)
  File "/usr/lib/python2.7/ssl.py", line 372, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 134, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 296, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:503: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

0.486  return code 3


--
thanks
✝ Marius

More information about the bazaar mailing list