[yocto] Missing certificates

Gary Thomas gary at mlbassoc.com
Mon Jul 27 07:05:05 PDT 2015 

On 2015-07-24 12:02, Gary Thomas wrote:
> I was trying to run a simple fetch from python using
>          url = 'https://raw.github.com/Itseez/opencv/master/samples/c/fruits.jpg'
>          filedata = urllib2.urlopen(url).read()
>
> This failed:
>    Traceback (most recent call last):
>    File "./edge.py", line 36, in <module>
>      filedata = urllib2.urlopen(url).read()
>    File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
>      return opener.open(url, data, timeout)
>    File "/usr/lib/python2.7/urllib2.py", line 431, in open
>      response = self._open(req, data)
>    File "/usr/lib/python2.7/urllib2.py", line 449, in _open
>      '_open', req)
>    File "/usr/lib/python2.7/urllib2.py", line 409, in _call_chain
>      result = func(*args)
>    File "/usr/lib/python2.7/urllib2.py", line 1240, in https_open
>      context=self._context)
>    File "/usr/lib/python2.7/urllib2.py", line 1197, in do_open
>      raise URLError(err)
> urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
>
> I can see that it was looking for some certificates in /usr/lib/ssl/certs
> but that directory is missing.
>
> Anyone know what I might be missing (or have misconfigured)?
>
> Thanks
>

I've found a discussion about this problem on the OpenEmbedded
development list:
   http://lists.openembedded.org/pipermail/openembedded-devel/2015-July/102160.html

So the problem that this has uncovered is twofold:
1) Python (and OpenSSL) are not using the certificates that are installed by the ca-certificates package
    OpenSSL expects the certificates in /usr/lib/ssl/certs and ca-certificates uses /etc/ssl/certs
2) The certificates from ca-certificates are not immediately usable by OpenSSL since they are not
    hashed.  This is done by the 'c_rehash' program but has been explicitly disabled by a patch.
    Further exploration implies that this was disabled because not all targets will have c_rehash
    available and since the hashing is expected to be done on the target when the certificates
    are loaded/updated.  Finally, c_rehash, may or may not exist in the OpenSSL packages, depending
    on whether or not perl is available on the target (it's a perl script)

How best to solve this?  As is, python htts:// support is broken in OE-core, so I think an
off-the-shelf solution is warranted.

Perhaps the PACKAGECONFIG for openssl should default to supporting perl on the target, and hence
the c_rehash utility would be available?  Certainly the choice of where the certificates live, etc,
should be standardized.

Maybe the c_rehash can be run at package build time for ca-certificates?  This would make things work,
at least for the real CA certificates.

Ideas?

-- 
------------------------------------------------------------
Gary Thomas                 |  Consulting for the
MLB Associates              |    Embedded world
------------------------------------------------------------

More information about the yocto mailing list