I can't https with selfsigned cert

Martin Packman martin.packman at canonical.com
Fri Mar 9 00:10:45 UTC 2012

On 08/03/2012, Marius Kruger <amanic at gmail.com> wrote:
> hi guys, long time no see, hope all are well.

Hey Marius!

> I'm running bzr.dev and today I realized that I can't connect over
> https to our company server with it's selfsigned cert.
> It *does* work with ssl.cert_reqs=none, but then I get 128 lines of
> "Not checking SSL certificate for ourserver: 443"
> when doing a nestedtree update (using bzr-externals) with 18 branches,
> which is a bit annoying.
> (128 is not an exaggeration, I did a |grep 443| wc -l)

Thanks for the detailed feedback here, the cert things landed a little
late so I was hoping we'd get some self-signed certificate testing on
one of the last betas, but tidying up the remaining parts is on the
2.5.1 list.

The 'ssl.cert_reqs=none' workaround *should* be the right thing as a
stopgap, the kipple is unfortunate. From what I've seen here, it seems
to be more than once per transport connection, so probably indicates
we're doing too much work of some other kind. That would be good to
look into, but skipping the cert logic entirely rather than just
changing the parameter as the code does presently might be a way

> I tried putting the following in bazaar.conf:
> ssl.ca_certs=/usr/share/ca-certificates/
> or
> ssl.ca_certs=/usr/share/ca-certificates/server.crt
> where server.crt is the exported .pem certificate, I did try a couple
> of formats but it didn't work.

Can you try `curl --cacert FILE URL` and see which ones work and which don't?

> btw. is it possible to set a directory that includes certs, or have a
> comma-separated list of files?

Not currently, but that might be useful.


More information about the bazaar mailing list