Issue #1280
closedvague error message if intermediate CA is used without full chain on content refresh
Description
Python-requests uses a stricter CA check than curl, and requires a full CA chain instead of just the last CA in the chain. This can cause a great deal of confusion when setting up a content source.
For example, if I have a root CA certificate and then a server CA that was created off of that, I can use the server CA to download content just fine with curl. However, using that same cert with a content source will give the following error:
# pulp-admin content sources refresh
+----------------------------------------------------------------------+
Refresh Content Sources
+----------------------------------------------------------------------+
This command may be exited via ctrl+c without affecting the request.
Refreshing content sources
[-]
RHUI v2 content from beav-rhui2-rhua
... failed
Content source content-rhui-v2 could not be found at
https://beav-rhui2-rhua/pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2/os/
Task Failed
Task 1d5c5af3-d56b-4f5d-a32f-9eb9f0a40e69 encountered one or more failures during execution.
In order to figure out that it's a CA issue, you need to check the connection with openssl s_client, which will return "Verify return code: 2 (unable to get issuer certificate)" instead of "Verify return code: 21 (unable to verify the first certificate)". The Pulp log just says that it was unable to download the file without additional detail.
I understand that this is is a python-requests issue[1] but it caused me to burn a full day to find what was happening. It is especially tricky since curl will work.
It would be a better experience if Pulp obtained a more detailed error message from either python-requests (if available) or ssl, and bubbled that up to the user. That would at least give some hint as to what was happening.
[1] https://ixa.io/2015/04/22/using-an-ssl-intermediate-as-your-ca-cert-with-python-requests/