Porting S3QL and ca-root-nss.crt: Python unable to find needed certificates
Niklaas Baudet von Gersdorff
niklaas at kulturflatrate.net
Sat Oct 3 13:17:52 UTC 2015
Hi,
I'm porting S3QL, see https://bitbucket.org/nikratio/s3ql/overview. It
creates a mountable filesystem on a Amazon S3 bucket. I already came
this far: https://github.com/niklaas/freebsd-port-s3ql which also
requires two python modules there are so far no ports for too:
llfuse: https://github.com/niklaas/freebsd-port-llfuse
dugong: https://github.com/niklaas/freebsd-port-dugong
`poudriere testport` works fine. I installed the port on a FreeBSD
system successfully and it seems to work fine. S3QL connects to the S3
bucket via SSL. But the connection only works if I use the following
command, explicitly stating the location of ca-root-nss.crt:
mkfs.s3ql --backend-options
ssl-ca-path=/usr/local/share/certs/ca-root-nss.crt s3://<bucket-name>
Not doing so causes the following errors:
> Traceback (most recent call last):
> File "/usr/local/bin/mount.s3ql", line 9, in <module>
> load_entry_point('s3ql==2.15', 'console_scripts', 'mount.s3ql')()
> File "/usr/local/lib/python3.4/site-packages/s3ql/mount.py", line 120, in main
> options.authfile, options.compress)
> File "/usr/local/lib/python3.4/site-packages/s3ql/common.py", line 340, in get_backend_factory
> backend.fetch('s3ql_passphrase')
> File "/usr/local/lib/python3.4/site-packages/s3ql/backends/common.py", line 351, in fetch
> return self.perform_read(do_read, key)
> File "/usr/local/lib/python3.4/site-packages/s3ql/backends/common.py", line 107, in wrapped
> return method(*a, **kw)
> File "/usr/local/lib/python3.4/site-packages/s3ql/backends/common.py", line 314, in perform_read
> fh = self.open_read(key)
> File "/usr/local/lib/python3.4/site-packages/s3ql/backends/common.py", line 107, in wrapped
> return method(*a, **kw)
> File "/usr/local/lib/python3.4/site-packages/s3ql/backends/s3c.py", line 302, in open_read
> resp = self._do_request('GET', '/%s%s' % (self.prefix, key))
> File "/usr/local/lib/python3.4/site-packages/s3ql/backends/s3c.py", line 437, in _do_request
> query_string=query_string, body=body)
> File "/usr/local/lib/python3.4/site-packages/s3ql/backends/s3c.py", line 668, in _send_request
> self.conn.send_request(method, path, body=body, headers=headers)
> File "/usr/local/lib/python3.4/site-packages/dugong/__init__.py", line 508, in send_request
> self.timeout)
> File "/usr/local/lib/python3.4/site-packages/dugong/__init__.py", line 1396, in eval_coroutine
> if not next(crt).poll(timeout=timeout):
> File "/usr/local/lib/python3.4/site-packages/dugong/__init__.py", line 535, in co_send_request
> self.connect()
> File "/usr/local/lib/python3.4/site-packages/dugong/__init__.py", line 444, in connect
> self._sock = self.ssl_context.wrap_socket(self._sock, server_hostname=server_hostname)
> File "/usr/local/lib/python3.4/ssl.py", line 365, in wrap_socket
> _context=self)
> File "/usr/local/lib/python3.4/ssl.py", line 583, in __init__
> self.do_handshake()
> File "/usr/local/lib/python3.4/ssl.py", line 810, in do_handshake
> self._sslobj.do_handshake()
> ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
I did some research and found this *fixed* bug which is more or less recent:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196431
I was wondering whether there are still some issues with
security/ca_root_nss or whether I forgot to specify something in the
Makefile?
How can I find out where python is looking for the certificates? This
would enable me to create a symlink which could be added to the final
version of my port of net/s3ql then too. (Note: I don't know python.)
Any help is very much appreciated.
Best,
--
Niklaas
More information about the freebsd-ports
mailing list