Browse code
Merge "Replace pip-installed requests CA bundle with link"
Jenkins authored on 2015/07/09 09:05:01Showing 1 changed files
| ... | ... |
@@ -202,6 +202,7 @@ subjectAltName = \$ENV::SUBJECT_ALT_NAME |
| 202 | 202 |
# Create root and intermediate CAs |
| 203 | 203 |
# init_CA |
| 204 | 204 |
function init_CA {
|
| 205 |
+ fix_system_ca_bundle_path |
|
| 205 | 206 |
# Ensure CAs are built |
| 206 | 207 |
make_root_CA $ROOT_CA_DIR |
| 207 | 208 |
make_int_CA $INT_CA_DIR $ROOT_CA_DIR |
| ... | ... |
@@ -338,6 +339,29 @@ function make_root_CA {
|
| 338 | 338 |
-outform PEM |
| 339 | 339 |
} |
| 340 | 340 |
|
| 341 |
+# If a non-system python-requests is installed then it will use the |
|
| 342 |
+# built-in CA certificate store rather than the distro-specific |
|
| 343 |
+# CA certificate store. Detect this and symlink to the correct |
|
| 344 |
+# one. If the value for the CA is not rooted in /etc then we know |
|
| 345 |
+# we need to change it. |
|
| 346 |
+function fix_system_ca_bundle_path {
|
|
| 347 |
+ if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then |
|
| 348 |
+ local capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass') |
|
| 349 |
+ |
|
| 350 |
+ if [[ ! $capath == "" && ! $capath =~ ^/etc/.* && ! -L $capath ]]; then |
|
| 351 |
+ if is_fedora; then |
|
| 352 |
+ sudo rm -f $capath |
|
| 353 |
+ sudo ln -s /etc/pki/tls/certs/ca-bundle.crt $capath |
|
| 354 |
+ elif is_ubuntu; then |
|
| 355 |
+ sudo rm -f $capath |
|
| 356 |
+ sudo ln -s /etc/ssl/certs/ca-certificates.crt $capath |
|
| 357 |
+ else |
|
| 358 |
+ echo "Don't know how to set the CA bundle, expect the install to fail." |
|
| 359 |
+ fi |
|
| 360 |
+ fi |
|
| 361 |
+ fi |
|
| 362 |
+} |
|
| 363 |
+ |
|
| 341 | 364 |
|
| 342 | 365 |
# Certificate Input Configuration |
| 343 | 366 |
# =============================== |