Merge "Replace pip-installed requests CA bundle with link"

2015-07-09 00:05:01 +00:00 · 2015-07-09 00:05:01 +00:00 · 29ed14af15
commit 29ed14af15
parent 09659eb298 1987fcc8a3
1 changed files with 24 additions and 0 deletions
--- a/lib/tls
+++ b/lib/tls
@ -202,6 +202,7 @@ subjectAltName          = \$ENV::SUBJECT_ALT_NAME
 # Create root and intermediate CAs
 # init_CA
 function init_CA {
+    fix_system_ca_bundle_path
    # Ensure CAs are built
    make_root_CA $ROOT_CA_DIR
    make_int_CA $INT_CA_DIR $ROOT_CA_DIR
@ -338,6 +339,29 @@ function make_root_CA {
        -outform PEM
 }

+# If a non-system python-requests is installed then it will use the
+# built-in CA certificate store rather than the distro-specific
+# CA certificate store. Detect this and symlink to the correct
+# one. If the value for the CA is not rooted in /etc then we know
+# we need to change it.
+function fix_system_ca_bundle_path {
+    if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
+        local capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass')
+
+        if [[ ! $capath == "" && ! $capath =~ ^/etc/.* && ! -L $capath ]]; then
+            if is_fedora; then
+                sudo rm -f $capath
+                sudo ln -s /etc/pki/tls/certs/ca-bundle.crt $capath
+            elif is_ubuntu; then
+                sudo rm -f $capath
+                sudo ln -s /etc/ssl/certs/ca-certificates.crt $capath
+            else
+                echo "Don't know how to set the CA bundle, expect the install to fail."
+            fi
+        fi
+    fi
+}
+

 # Certificate Input Configuration
 # ===============================