From 52a3bebcfcb09ec2b78d0357f1a074458ab04053 Mon Sep 17 00:00:00 2001
From: Clint Byrum <clint@fewbar.com>
Date: Tue, 5 May 2015 15:00:03 -0700
Subject: [PATCH] Do not set OS_CACERT if there is no CA cert

In openrc, if we set OS_CACERT, some things will expect it to be there
in pre-flight checks. But it may very well be missing. This "fails
closed" because if we find the file, we try to use it, but if we don't
find the file, and the user thought we should be using it, we'll just
not be able to verify the server's name, and the libs will fail on that.

Change-Id: Ia5d06afa74bc645c2f19711cfa37e57a377c329b
Closes-Bug: #1452036
---
 openrc | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/openrc b/openrc
index aec8a2a642..64faa58a3a 100644
--- a/openrc
+++ b/openrc
@@ -78,8 +78,14 @@ export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-2.0}
 #
 export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION}
 
-# Set the pointer to our CA certificate chain.  Harmless if TLS is not used.
-export OS_CACERT=${OS_CACERT:-$INT_CA_DIR/ca-chain.pem}
+# Set OS_CACERT to a default CA certificate chain if it exists.
+if [[ ! -v OS_CACERT ]] ; then
+    DEFAULT_OS_CACERT=$INT_CA_DIR/ca-chain.pem
+    # If the file does not exist, this may confuse preflight sanity checks
+    if [ -e $DEFAULT_OS_CACERT ] ; then
+        export OS_CACERT=$DEFAULT_OS_CACERT
+    fi
+fi
 
 # Currently novaclient needs you to specify the *compute api* version.  This
 # needs to match the config of your catalog returned by Keystone.