Seems I tried to be clever in providing a bundle without the original CA
certificate (we're using almost everywhere else). Unfortunately,
pollinate is calling curl with --capath /dev/null so we need to include
this.
I've created MP:239160 to fix this.

Tested as follows:

$ curl -A 'pollinate/4.8-0ubuntu1 curl/7.37.1-1ubuntu3 Ubuntu/14.10 
GNU/Linux/3.16.0-23-generic/x86_64' -o- -v --trace-time --connect-timeout 3 
--max-time 3 --cacert missing-ca-certificate/entropy.ubuntu.com.pem --capath 
/dev/null https://entropy.ubuntu.com/
| 09:16:55.592055 * Hostname was NOT found in DNS cache
| 09:16:55.596308 *   Trying 91.189.94.50...
| 09:16:55.925350 * Connected to entropy.ubuntu.com (91.189.94.50) port 443 (#0)
| 09:16:55.925950 * successfully set certificate verify locations:
| 09:16:55.926012 *   CAfile: missing-ca-certificate/entropy.ubuntu.com.pem
|   CApath: /dev/null
| 09:16:55.926126 * SSLv3, TLS handshake, Client hello (1):
| 09:16:56.261897 * SSLv3, TLS handshake, Server hello (2):
| 09:16:56.273468 * SSLv3, TLS handshake, CERT (11):
| 09:16:56.274152 * SSLv3, TLS handshake, Server key exchange (12):
| 09:16:56.274321 * SSLv3, TLS handshake, Server finished (14):
| 09:16:56.284401 * SSLv3, TLS handshake, Client key exchange (16):
| 09:16:56.284483 * SSLv3, TLS change cipher, Client hello (1):
| 09:16:56.284605 * SSLv3, TLS handshake, Finished (20):
| 09:16:56.628377 * SSLv3, TLS change cipher, Client hello (1):
| 09:16:56.628494 * SSLv3, TLS handshake, Finished (20):
| 09:16:56.628555 * SSL connection using TLSv1.2 / DHE-RSA-AES128-GCM-SHA256
| 09:16:56.628606 * Server certificate:
| 09:16:56.628656 *        subject: OU=Domain Control Validated; 
CN=entropy.ubuntu.com
| 09:16:56.628702 *        start date: 2014-10-14 23:21:25 GMT
| 09:16:56.628748 *        expire date: 2015-10-15 16:10:53 GMT
| 09:16:56.628807 *        subjectAltName: entropy.ubuntu.com matched
| 09:16:56.628863 *        issuer: C=US; ST=Arizona; L=Scottsdale; 
O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy 
Secure Certificate Authority - G2
| 09:16:56.628909 *        SSL certificate verify ok.
| 09:16:56.628981 > GET / HTTP/1.1
| 09:16:56.628981 > User-Agent: pollinate/4.8-0ubuntu1 curl/7.37.1-1ubuntu3 
Ubuntu/14.10 GNU/Linux/3.16.0-23-generic/x86_64
| 09:16:56.628981 > Host: entropy.ubuntu.com
| 09:16:56.628981 > Accept: */*
| 09:16:56.628981 >
| 09:16:56.968210 * HTTP 1.0, assume close after body
| 09:16:56.968290 < HTTP/1.0 400 Bad Request
| 09:16:56.968334 < Content-Type: text/plain; charset=utf-8
| 09:16:56.968375 < Content-Length: 162
| 09:16:56.968417 < Date: Tue, 21 Oct 2014 22:16:57 GMT
| 09:16:56.968459 < X-Cache: MISS from localhost
| 09:16:56.968501 < X-Cache-Lookup: MISS from localhost:3128
| 09:16:56.968544 < Via: 1.0 localhost (squid/3.1.19)
| 09:16:56.968587 * HTTP/1.0 connection set to keep alive!
| 09:16:56.968628 < Connection: keep-alive
| 09:16:56.968670 < Please use the pollinate client.  'sudo apt-get install 
pollinate' or download from: 
https://bazaar.launchpad.net/~pollinate/pollinate/trunk/view/head:/pollinate
| 09:16:56.968739 * Connection #0 to host entropy.ubuntu.com left intact

Once again, I am really sorry.

** Branch linked: lp:~hloeung/pollinate/missing-ca-certificate

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to pollinate in Ubuntu.
https://bugs.launchpad.net/bugs/1381359

Title:
  [SRU] ship new public cert

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/1381359/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Reply via email to