Replace pip-installed requests CA bundle with link
If the version of python-requests required is higher than
that provided by the operating system, pip will install
it from upstream.
The upstream version provides its own CA certificate bundle
based on the Mozilla bundle, and defaults to that in case
a CA certificate file is not specified for a request.
The distribution-specific packages point to the system-wide
CA bundle that can be managed by tools such as
update-ca-trust (Fedora/RHEL) and update-ca-certificates
(Debian/Ubuntu).
When installing in SSL/TLS mode, either with SSL=True or by
adding tls-proxy to ENABLED_SERVICES, if a non-systemwide
CA bundle is used, then the CA generated by devstack will
not be used causing the installation to fail.
Replace the upstream-provided bundle with a link to the
system bundle when possible.
Change-Id: I651aec93398d583dcdc8323503792df7ca05a7e7
Closes-Bug: #1459789
Rob Crittenden authored on 2015/06/11 00:00:59Showing 1 changed files
| ... | ... |
@@ -202,6 +202,7 @@ subjectAltName = \$ENV::SUBJECT_ALT_NAME |
| 202 | 202 |
# Create root and intermediate CAs |
| 203 | 203 |
# init_CA |
| 204 | 204 |
function init_CA {
|
| 205 |
+ fix_system_ca_bundle_path |
|
| 205 | 206 |
# Ensure CAs are built |
| 206 | 207 |
make_root_CA $ROOT_CA_DIR |
| 207 | 208 |
make_int_CA $INT_CA_DIR $ROOT_CA_DIR |
| ... | ... |
@@ -338,6 +339,29 @@ function make_root_CA {
|
| 338 | 338 |
-outform PEM |
| 339 | 339 |
} |
| 340 | 340 |
|
| 341 |
+# If a non-system python-requests is installed then it will use the |
|
| 342 |
+# built-in CA certificate store rather than the distro-specific |
|
| 343 |
+# CA certificate store. Detect this and symlink to the correct |
|
| 344 |
+# one. If the value for the CA is not rooted in /etc then we know |
|
| 345 |
+# we need to change it. |
|
| 346 |
+function fix_system_ca_bundle_path {
|
|
| 347 |
+ if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then |
|
| 348 |
+ local capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass') |
|
| 349 |
+ |
|
| 350 |
+ if [[ ! $capath == "" && ! $capath =~ ^/etc/.* && ! -L $capath ]]; then |
|
| 351 |
+ if is_fedora; then |
|
| 352 |
+ sudo rm -f $capath |
|
| 353 |
+ sudo ln -s /etc/pki/tls/certs/ca-bundle.crt $capath |
|
| 354 |
+ elif is_ubuntu; then |
|
| 355 |
+ sudo rm -f $capath |
|
| 356 |
+ sudo ln -s /etc/ssl/certs/ca-certificates.crt $capath |
|
| 357 |
+ else |
|
| 358 |
+ echo "Don't know how to set the CA bundle, expect the install to fail." |
|
| 359 |
+ fi |
|
| 360 |
+ fi |
|
| 361 |
+ fi |
|
| 362 |
+} |
|
| 363 |
+ |
|
| 341 | 364 |
|
| 342 | 365 |
# Certificate Input Configuration |
| 343 | 366 |
# =============================== |