#750 CA certificate "missing" for launchpad, bzr fails

closed
libcurl (356)
5
2013-06-21
2008-07-05
No

System: x86_64, Fedora 9, last updated 7/4/2008

Downstream reports:
https://bugzilla.redhat.com/show_bug.cgi?id=454151
https://bugs.launchpad.net/bugs/245634

The basic problem is that I am trying to do:
bzr launchpad-login gene-czarc
and it fails with:
curl: (60) Peer certificate cannot be authenticated ...

To check verify certificates, bzr uses pycurl which, in turn, uses libcurl. I have been tracking down through the code (I am not very good at python) as well as assuming that the CA cert was missing.
----------------------------------------------------
Here are the results of my latest testing:

First, I installed "curl" to have a nice command line
interface.

1. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://www.redhat.com
or run: curl https://www/redhat/com
both results: html

2. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://launchpad.net
or run: curl https//launchpad.net
both results: curl: (60) Peer certificate cannot be authenticated ...
-----------------------------------------------------
get new cacert.pem from http://curl.haxx.se/docs/caextract.html
[curl website] ... I was assuming that a cert was missing
-----------------------------------------------------
3. run: curl --cacert ./cacert.pem https://www.redhat.com
result: html

4. run: curl --cacert ./cacert.pem https://launchpad.net
result: html ... looking good!
-----------------------------------------------------
This proves something but I am not sure what because if I copy the new cacert.pem into /etc/pki/tls/certs/ and try to use it from there, redhat works
but launchpad does not.
-------------------------------------------------
OK, one more test: copy /etc/pki/tls/certs/ca-bundle.crt to ./ [this is openssl's]

run curl --cacert ./ca-bundle.crt https://launchpad.net
result: html

So, this tells me that the CA cert has benn there all along!
-------------------------------------------------------
I have not looked into the libcurl code itself.

However, from the curl.spec in the src.rpm, the configuration looks good:
--with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt

but then there is this:

run: curl-config --ca
result: @CURL_CA_BUNDLE@

Oh, I also tried using an environment setting:

export CURL_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
bzr launchpad-login gene-czarc
fails again.

Discussion

  • Gene Czarcinski

    Gene Czarcinski - 2008-07-05

    Logged In: YES
    user_id=1180421
    Originator: YES

    I am slowly finding my way through the code ... currently going through nss.c code. Here is more info:
    -------------------------------------------------------------------------------------
    $ curl -v https://launchpad.net >xxx
    * About to connect() to launchpad.net port 443 (#0)
    * Trying 91.189.90.211... connected
    * Connected to launchpad.net (91.189.90.211) port 443 (#0)
    * CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
    * Bad certificate received. Subject = 'CN=launchpad.net,OU=Domain Control Validated,O=launchpad.net', Issuer = 'E=practices@starfieldtech.com,CN=Starfield Secure Certification Authority,OU=http://www.starfieldtech.com/repository,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US'
    * NSS error -8179
    * Closing connection #0
    * Peer certificate cannot be authenticated with known CA certificates

    curl: (60) Peer certificate cannot be authenticated with known CA certificates
    More details here: http://curl.haxx.se/docs/sslcerts.html
    ----------------------------------------------------------------------------------
    $ curl -v --cacert ./cacert.pem https://launchpad.net >xxx
    * About to connect() to launchpad.net port 443 (#0)
    * Trying 91.189.90.211... connected
    * Connected to launchpad.net (91.189.90.211) port 443 (#0)
    * CAfile: ./cacert.pem
    CApath: none
    * SSL connection using SSL_RSA_WITH_RC4_128_MD5
    * Server certificate:
    * subject: CN=launchpad.net,OU=Domain Control Validated,O=launchpad.net
    * start date: Jul 25 18:24:13 2006 GMT
    * expire date: Jul 25 18:24:13 2009 GMT
    * common name: launchpad.net
    * issuer: E=practices@starfieldtech.com,CN=Starfield Secure Certification Authority,OU=http://www.starfieldtech.com/repository,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
    > GET / HTTP/1.1
    > User-Agent: curl/7.18.2 (x86_64-redhat-linux-gnu) libcurl/7.18.2 NSS/3.12.0.3 zlib/1.2.3 libidn/0.6.14
    > Host: launchpad.net
    > Accept: */*
    >
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0< HTTP/1.1 200 Ok
    < Date: Sat, 05 Jul 2008 19:16:04 GMT
    < Server: zope.server.http (HTTP)
    < X-Powered-By: Zope (www.zope.org), Python (www.python.org)
    < Content-Length: 13706
    < Content-Type: text/html;charset=utf-8
    < Set-Cookie: lp=xM8TSYrdXV7lowuySbHm8pZ1v7sDT7OMEpZmqyuhAoegv5wShHKVco; Domain=.launchpad.net; expires=Sun, 05 Jul 2009 19:16:04 GMT; Path=/; secure;
    < Via: 1.1 launchpad.net
    < Vary: Accept-Encoding
    <
    { [data not shown]
    100 13706 100 13706 0 0 8079 0 0:00:01 0:00:01 --:--:-- 38392* Connection #0 to host launchpad.net left intact

    * Closing connection #0

     
  • Gene Czarcinski

    Gene Czarcinski - 2008-07-05

    Logged In: YES
    user_id=1180421
    Originator: YES

    This sure looks like there is an unitialized variable somewhere.

    Note that the only thing between success and failure is running "-v" verbose.
    ---------------------------------------------------------------------
    [gc@falcon test]$ curl --cacert ./cacert.pem https://launchpad.net >xxx
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 13706 100 13706 0 0 10244 0 0:00:01 0:00:01 --:--:-- 69573
    [gc@falcon test]$ curl --cacert ./ca-bundle.crt https://launchpad.net >xxx
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 13706 100 13706 0 0 5859 0 0:00:02 0:00:02 --:--:-- 13665
    [gc@falcon test]$ curl --cacert ./ca-bundle.crt https://launchpad.net >xxx
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 13706 100 13706 0 0 11259 0 0:00:01 0:00:01 --:--:-- 69573
    [gc@falcon test]$ curl --cacert ./ca-bundle.crt https://launchpad.net >xxx
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 13706 100 13706 0 0 13799 0 --:--:-- --:--:-- --:--:-- 69222
    -----------------------------------------------------------------------------------
    [gc@falcon test]$ curl -v --cacert ./ca-bundle.crt https://launchpad.net >xxx
    * About to connect() to launchpad.net port 443 (#0)
    * Trying 91.189.90.211... connected
    * Connected to launchpad.net (91.189.90.211) port 443 (#0)
    * CAfile: ./ca-bundle.crt
    CApath: none
    * Bad certificate received. Subject = 'CN=launchpad.net,OU=Domain Control Validated,O=launchpad.net', Issuer = 'E=practices@starfieldtech.com,CN=Starfield Secure Certification Authority,OU=http://www.starfieldtech.com/repository,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US'
    * NSS error -8179
    * Closing connection #0
    * Peer certificate cannot be authenticated with known CA certificates

    curl: (60) Peer certificate cannot be authenticated with known CA certificates
    More details here: http://curl.haxx.se/docs/sslcerts.html

     
  • Daniel Stenberg

    Daniel Stenberg - 2008-07-07

    Logged In: YES
    user_id=1110
    Originator: NO

    I'm not sure I'm following you, there are a lot of pieces flying around here!

    First, off the libcurl in Fedora is build against an NSS version that is Fedora-patched. It would be interesting to know if you see this problem with libcurl that is built with other SSL/TLS libs than NSS or how it behaves with a release-version of NSS.

    Assuming we find a non-Fedora version that triggers this error (simply because I don't have access to any machines running Fedora 9), what ca-cert bundle do you use for it and are you saying that the bug only occurs if you use -v/--verbose with it? Does it behave the same against all SSL sites or only particular ones?

     
  • Gene Czarcinski

    Gene Czarcinski - 2008-07-09

    Logged In: YES
    user_id=1180421
    Originator: YES

    Yes, a lot of stuff is flying around. If you look closely, I have gotten it to work with Fedora's ca-bundle.crt ... just not when it is in its installed location. I have also run tests (which failed) where I replaced Fedora's ca-bundle.crt with the cacert.pem file I downloaded from the cur/libcurl website.

    My latest test involved running wireshark to capture the packets for a works and does-not-work run. I saved (exported as text file) the certificate packets which I am attaching. I am really not very knowledgable at the packet level but they look the same except for some stuff at the beginning of the packet (which I would expect to be different).

    If I can run any test, etc. to shead some light on this, please ask.

    For curl works I ran: curl --cacert ./ca-bundle.crt https://launchpad.net >xxx

    For curl notworks I ran: curl -v --cacert ./ca-bundle.crt https://launchpad.net >xxx
    File Added: curl-works-packet

     
  • Gene Czarcinski

    Gene Czarcinski - 2008-07-09

    packet where curl works.

     
  • Gene Czarcinski

    Gene Czarcinski - 2008-07-09

    Logged In: YES
    user_id=1180421
    Originator: YES

    File Added: curl-notworks-packet

     
  • Gene Czarcinski

    Gene Czarcinski - 2008-07-09

    packet where curl dows not work (bad certificate)

     
  • Daniel Stenberg

    Daniel Stenberg - 2008-07-09

    Logged In: YES
    user_id=1110
    Originator: NO

    Well, let me again mention you using Fedora and thus not a "normal" NSS version. I cannot repeat your failures at all, for me curl can't use that cacert:

    [build curl to use NSS 3.12.0.2 on Debian Unstable]
    $ make ca-bundle
    $ ./src/curl --cacert lib/ca-bundle.crt https://launchpad.net

    This fails. Adding -v also makes it fail.

    When I use -v I get a hint on why this doesn't work for me:

    * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.

    All references I find with Google say that lib is Fedora-only.

     
  • Daniel Stenberg

    Daniel Stenberg - 2008-07-14
    • status: open --> pending
     
  • SourceForge Robot

    • status: pending --> closed
     
  • SourceForge Robot

    Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks