Merge pull request #23769 from cellscape/utils-http-ca-file-roots

Fix file_roots CA lookup in salt.utils.http.get_ca_bundle
2025-04-17 10:10:20 +00:00 · 2015-05-15 10:21:49 -06:00 · 2015-05-15 10:21:49 -06:00 · 10615ff5a7
commit 10615ff5a7
parent fd8a1b797f 8e90f3291b
1 changed files with 11 additions and 7 deletions
--- a/salt/utils/http.py
+++ b/salt/utils/http.py
@ -443,14 +443,17 @@ def get_ca_bundle(opts=None):
        return opts_bundle

    file_roots = opts.get('file_roots', {'base': [syspaths.SRV_ROOT_DIR]})
-    salt_root = file_roots['base'][0]
-    log.debug('file_roots is {0}'.format(salt_root))

    # Please do not change the order without good reason
-    for path in (
-        # Check Salt first
-        os.path.join(salt_root, 'cacert.pem'),
-        os.path.join(salt_root, 'ca-bundle.crt'),
+
+    # Check Salt first
+    for salt_root in file_roots.get('base', []):
+        log.debug('file_roots is {0}'.format(salt_root))
+        for path in ('cacert.pem', 'ca-bundle.crt'):
+            if os.path.exists(path):
+                return path
+
+    locations = (
        # Debian has paths that often exist on other distros
        '/etc/ssl/certs/ca-certificates.crt',
        # RedHat is also very common
@ -460,7 +463,8 @@ def get_ca_bundle(opts=None):
        '/etc/ssl/certs/ca-bundle.crt',
        # Suse has an unusual path
        '/var/lib/ca-certificates/ca-bundle.pem',
-    ):
+    )
+    for path in locations:
        if os.path.exists(path):
            return path