On Sun, May 25, 2014 at 01:59:15PM +0200, Ola Lundqvist wrote: > severity 748964 wishlist > tags 748964 + wontfix > thanks > > Hi Kurt > > It turns out that vzstats does not work with ca-certificates. > I'd like to know the reason for this request. Is it some general principle > or is it some more specific reason for it? > > ola@quartz:~/build/debian/vzstats/vzstats-0.5.3$ curl -sS --connect-timeout > 30 --cacert /etc/ssl/certs/ca-certificates.crt > https://stats.openvz.org/genuuid.php > curl: (60) SSL certificate problem: unable to get local issuer certificate
stats.openvz.org is misconfigured and does not send all the certificates it should be sending. That is, it sends it's own certificate but does not send any of the intermedia or root CAs as it should. For some reason it also supports single DES. > This problem does not appear with the certificate from vzstats itself. I have to guess they worked around this by including the intermedia CA for them in that bundle instead of fixing their website. > There is one more problem. A server admin can select and deny CA:s by > configuration. This is all good, but it is very hard for the admin to dig > down that it is because of a specific setting this statistics gathering > script stops to work. If he doesn't trust that CA, there is no reason to suddenly trust it when he wants to get statistics. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
