[Bug 1307598] [NEW] Debian/Ubuntu system wide CA certificate file doesn't seem to be used

Launchpad Bug Tracker 1307598 at bugs.launchpad.net
Tue Apr 15 01:22:37 UTC 2014 

You have been subscribed to a public bug:

If you create a CA certificate and add it to the default locations by
copying it to /usr/local/share/ca-certificates/ and running 'update-ca-
certificates' it should be picked up by anything using openssl.

For example curl:

1) before running update-ca-certificates:

 $ curl https://192.0.2.254:13776
 curl: (60) SSL certificate problem: unable to get local issuer certificate
 More details here: http://curl.haxx.se/docs/sslcerts.html

2) after running update-ca-certificates:

$ curl https://192.0.2.254:13776
{"versions": [{"status": "CURRENT", "updated": "2012-01-04T11:33:21Z", "id": "v1.0", "links": [{"href": "http://192.0.2.254:13776/v1/", "rel": "self"}]}, {"status": "CURRENT", "updated": "2012-11-21T11:33:21Z", "id": "v2.0", "links": [{"href": "http://192.0.2.254:13776/v2/", "rel": "self"}]}]}

although pointing directly to the CA file does work:

 $ keystone --os-cacert /etc/ssl/from-heat-ca.crt service-list
 +----------------------------------+----------+---------------+------------------------------+
 |                id                |   name   |      type     |         description          |
 +----------------------------------+----------+---------------+------------------------------+
 | e59679b3694449c6bc410d7321df48d6 |  cinder  |     volume    |    Cinder Volume Service     |
 | 8cb17b90b58440b9acb3be1716fc9c57 |   ec2    |      ec2      |   EC2 Compatibility Layer    |
 | d38888f8790c469cb007535e4d22d6eb |  glance  |     image     |     Glance Image Service     |
 | 70d1c596bc824397a440a61cf33e4bd4 |   heat   | orchestration |         Heat Service         |
 | 917470532d5d4d9b815bd19b882cc58a | keystone |    identity   |  Keystone Identity Service   |
 | a748d35bacbf4ed2a0a607ad52739e4e | neutron  |    network    |       Neutron Service        |
 | 2a5905f1de5c4cd1a561ae7fdea0e1ae |   nova   |   computev3   |   Nova Compute Service v3    |
 | 77c83d2c395a4924bef10c2e5c13cd74 |   nova   |    compute    |     Nova Compute Service     |
 | dd8e1561cccc47a0b134616d4f4efd1d |  swift   |  object-store | Swift Object Storage Service |
 +----------------------------------+----------+---------------+------------------------------+


after update-ca-certificates has been run the CA cert is not picked up automatically from the system-wide location:


$ keystone service-list
Authorization Failed: SSL exception connecting to https://192.0.2.254:13000/v2.0/tokens

** Affects: python-keystoneclient (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Debian/Ubuntu system wide CA certificate file doesn't seem to be used
https://bugs.launchpad.net/bugs/1307598
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-keystoneclient in Ubuntu.

More information about the Ubuntu-server-bugs mailing list