I can't https with selfsigned cert
Marius Kruger
amanic at gmail.com
Thu Mar 8 14:45:02 UTC 2012
hi guys, long time no see, hope all are well.
I'm running bzr.dev and today I realized that I can't connect over
https to our company server with it's selfsigned cert.
It *does* work with ssl.cert_reqs=none, but then I get 128 lines of
"Not checking SSL certificate for ourserver: 443"
when doing a nestedtree update (using bzr-externals) with 18 branches,
which is a bit annoying.
(128 is not an exaggeration, I did a |grep 443| wc -l)
I can easily enough patch it out, but then I tried installing the
selfsigned cert with the following helpful instructions:
http://mercurial.selenic.com/wiki/CACertificates#Self-signed_certificates
I tried putting the following in bazaar.conf:
ssl.ca_certs=/usr/share/ca-certificates/
or
ssl.ca_certs=/usr/share/ca-certificates/server.crt
where server.crt is the exported .pem certificate, I did try a couple
of formats but it didn't work.
btw. is it possible to set a directory that includes certs, or have a
comma-separated list of files?
This is the error I get:
SSLError: [Errno 1] _ssl.c:503: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I'm not sure if this is still work in progress or a mistake/ignorance
on my part.
full trace:
[14170] 2012-03-08 16:12:53.971 INFO:
See `bzr help ssl.ca_certs` for how to specify trusted CAcertificates.
Pass -Ossl.cert_reqs=none to disable certificate verification entirely.
0.474 Transferred: 0kB (0.0kB/s r:0kB w:0kB)
0.485 Traceback (most recent call last):
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/commands.py", line
930, in exception_to_return_code
return the_callable(*args, **kwargs)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/commands.py", line
1141, in run_bzr
ret = run(*run_argv)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/commands.py", line
673, in run_argv_aliases
return self.run(**all_cmd_args)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/commands.py", line 697, in run
return self._operation.run_simple(*args, **kwargs)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/cleanup.py", line
136, in run_simple
self.cleanups, self.func, *args, **kwargs)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/cleanup.py", line
166, in _do_with_cleanups
result = func(*args, **kwargs)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/builtins.py", line
1216, in run
possible_transports=possible_transports)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/branch.py", line 185, in open
possible_transports=possible_transports, _unsupported=_unsupported)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/controldir.py", line
689, in open
_unsupported=_unsupported)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/controldir.py", line
718, in open_from_transport
find_format, transport, redirected)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/__init__.py",
line 1718, in do_catching_redirections
return action(transport)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/controldir.py", line
706, in find_format
probers=probers)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/controldir.py", line
1151, in find_format
return prober.probe_transport(transport)
File "/home/amanica/.bazaar/plugins/svn/__init__.py", line 283, in
probe_transport
dav_entries = dav_options(transport, url)
File "/home/amanica/.bazaar/plugins/svn/__init__.py", line 192, in dav_options
resp = transport._perform(req)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/http/_urllib.py",
line 76, in _perform
response = self._opener.open(request)
File "/usr/lib/python2.7/urllib2.py", line 394, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 412, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 372, in _call_chain
result = func(*args)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/http/_urllib2_wrappers.py",
line 924, in https_open
return self.do_open(HTTPSConnection, request)
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/http/_urllib2_wrappers.py",
line 808, in do_open
headers)
File "/usr/lib/python2.7/httplib.py", line 989, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 951, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 811, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 773, in send
self.connect()
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/http/_urllib2_wrappers.py",
line 473, in connect
self.connect_to_origin()
File "/stf_fast/prj/bzr/bzr.repo/bzr.dev/bzrlib/transport/http/_urllib2_wrappers.py",
line 495, in connect_to_origin
cert_reqs=cert_reqs, ca_certs=ca_certs)
File "/usr/lib/python2.7/ssl.py", line 372, in wrap_socket
ciphers=ciphers)
File "/usr/lib/python2.7/ssl.py", line 134, in __init__
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 296, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:503: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
0.486 return code 3
--
thanks
✝ Marius
More information about the bazaar
mailing list