GNOME Bugzilla – Bug 796780
shell.py: when wget check certificates it doesn't use the system library for them
Last modified: 2018-11-03 10:24:01 UTC
In the latest Ubuntu 18.04 LTS Cerbero fails to build gstreamer-1.0, since wget check the certificates, but in the build environment the ones hosted in the building systems are not reachable. The error is like: [(65/80) spandsp -> fetch ] -----> Fetching tarball http://www.soft-switch.org/downloads/spandsp/spandsp-0.0.6.tar.gz to /vol2/tdprime/cerbero/build/sources/local/spandsp-0.0.6/spandsp-0.0.6.tar.gz Downloading http://www.soft-switch.org/downloads/spandsp/spandsp-0.0.6.tar.gz Running command 'wget http://www.soft-switch.org/downloads/spandsp/spandsp-0.0.6.tar.gz -O /vol2/tdprime/cerbero/build/sources/local/spandsp-0.0.6/spandsp-0.0.6.tar.gz ' URL transformed to HTTPS due to an HSTS policy --2018-05-18 23:12:50-- https://www.soft-switch.org/downloads/spandsp/spandsp-0.0.6.tar.gz Resolving www.soft-switch.org (www.soft-switch.org)... 209.105.235.30 Connecting to www.soft-switch.org (www.soft-switch.org)|209.105.235.30|:443... connected. ERROR: cannot verify www.soft-switch.org's certificate, issued by ‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’: Unable to locally verify the issuer's authority. To connect to www.soft-switch.org insecurely, use `--no-check-certificate'. Several packages seems affected, and not downloadable.
Created attachment 372991 [details] [review] Fix to look for the building system CA directory, and use it with the corresponding wget parameter.
Review of attachment 372991 [details] [review]: The commit message need to reworked. First line should be no more then 80 char and should describe what is is fixing instead of the describing the bug. ::: cerbero/utils/shell.py @@ +240,3 @@ + else: + if os.path.exists("/usr/lib/ssl/certs"): + cmd += " --ca-directory=/usr/lib/ssl/certs" That's a Debianism, this fix won't work notably on Fedora.
You are right... Would it be better to look into a list of paths, e.g.: "/etc/ssl/certs", // Debian/Ubuntu/Gentoo etc. "/etc/pki/tls/certs", // Fedora/RHEL 6 "/etc/ssl", // OpenSUSE "/etc/pki/tls", // OpenELEC "/etc/pki/ca-trust/extracted/pem", // CentOS/RHEL 7 "/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139 "/system/etc/security/cacerts", // Android "/usr/local/share/certs", // FreeBSD "/etc/pki/tls/certs", // Fedora/RHEL "/etc/openssl/certs", // NetBSD "/private/etc/ssl/certs", // macOS or use 'openssl version -d' to retrieve OPENSSLDIR, and append /certs to it?
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/gstreamer/cerbero/issues/65.