diff --git a/glanceclient/common/http.py b/glanceclient/common/http.py index e18bdf8e..0d29fffe 100644 --- a/glanceclient/common/http.py +++ b/glanceclient/common/http.py @@ -16,6 +16,7 @@ import copy import httplib import logging +import os import socket import StringIO import urlparse @@ -201,7 +202,10 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): cert_file=cert_file) self.key_file = key_file self.cert_file = cert_file - self.ca_file = ca_file + if ca_file is not None: + self.ca_file = ca_file + else: + self.ca_file = self.get_system_ca_file() self.timeout = timeout self.insecure = insecure @@ -233,6 +237,20 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = ssl.wrap_socket(sock, **kwargs) + @staticmethod + def get_system_ca_file(): + """"Return path to system default CA file""" + # Standard CA file locations for Debian/Ubuntu, RedHat/Fedora, + # Suse, FreeBSD/OpenBSD + ca_path = ['/etc/ssl/certs/ca-certificates.crt', + '/etc/pki/tls/certs/ca-bundle.crt', + '/etc/ssl/ca-bundle.pem', + '/etc/ssl/cert.pem'] + for ca in ca_path: + if os.path.exists(ca): + return ca + return None + class ResponseBodyIterator(object): """A class that acts as an iterator over an HTTP response.""" diff --git a/glanceclient/shell.py b/glanceclient/shell.py index 8a93d8cf..c13a7b8c 100644 --- a/glanceclient/shell.py +++ b/glanceclient/shell.py @@ -73,8 +73,9 @@ class OpenStackImagesShell(object): 'not necessary if your key is prepended to your cert file.') parser.add_argument('--ca-file', - help='Path of CA SSL certificate(s) used to sign the remote ' - 'server\'s certificate.') + help='Path of CA SSL certificate(s) used to verify the remote ' + 'server\'s certificate. Without this option glance looks ' + 'for the default system CA certificates.') parser.add_argument('--timeout', default=600,