Module: check_mk
Branch: master
Commit: 7d54072c67b98dec51fae01b71f3fa0f3c72f41a
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=7d54072c67b98d…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Feb 4 20:22:38 2019 +0100
Use sites trusted CAs for verifying remote livestatus server certificates
Change-Id: I10df80bc6323a42fe0b6648c621c8ccd97e6647a
---
livestatus/api/python/livestatus.py | 2 +-
tests/unit/livestatus/test_livestatus_unit.py | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/livestatus/api/python/livestatus.py b/livestatus/api/python/livestatus.py
index 1448388..a1d8d42 100644
--- a/livestatus/api/python/livestatus.py
+++ b/livestatus/api/python/livestatus.py
@@ -106,7 +106,7 @@ def site_local_ca_path():
if not omd_root:
raise MKLivestatusConfigError("OMD_ROOT is not set. You are not running in
OMD context.")
- return os.path.join(omd_root, "etc/ssl/ca.pem")
+ return os.path.join(omd_root, "var/ssl/ca-certificates.crt")
def create_client_socket(family, tls, verify, ca_file_path):
diff --git a/tests/unit/livestatus/test_livestatus_unit.py
b/tests/unit/livestatus/test_livestatus_unit.py
index 22fcb18..c28002f 100644
--- a/tests/unit/livestatus/test_livestatus_unit.py
+++ b/tests/unit/livestatus/test_livestatus_unit.py
@@ -1,6 +1,5 @@
import socket
import ssl
-import os
from contextlib import closing
from pathlib2 import Path
import pytest # type: ignore
@@ -125,6 +124,11 @@ def test_single_site_connection_socketurl(socket_url, result,
monkeypatch):
def test_create_socket(tls, verify, ca, ca_file_path, monkeypatch, tmpdir):
ca.initialize()
+ ssl_dir = Path("%s/var/ssl" % tmpdir)
+ ssl_dir.mkdir(parents=True)
+ with ssl_dir.joinpath("ca-certificates.crt").open(mode="w",
encoding="utf-8") as f: # pylint: disable=no-member
+
f.write(ca.ca_path.joinpath("ca.pem").open(encoding="utf-8").read())
+
monkeypatch.setenv("OMD_ROOT", "%s" % tmpdir)
if ca_file_path is not None:
@@ -134,7 +138,7 @@ def test_create_socket(tls, verify, ca, ca_file_path, monkeypatch,
tmpdir):
"unix:/tmp/xyz", tls=tls, verify=verify, ca_file_path=ca_file_path)
if ca_file_path is None:
- ca_file_path = "%s/ca.pem" % ca.ca_path
+ ca_file_path = "%s/var/ssl/ca-certificates.crt" % tmpdir
sock = live._create_socket(socket.AF_INET)