3 files changed, 30 insertions, 5 deletions

diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index bd158e1e..cc395bcb 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -3,6 +3,7 @@ import logging
 #import platform
 import time
 import os
+import sys
 
 import gnutls.crypto
 #import netifaces
@@ -20,6 +21,7 @@ from leap.eip import config as eipconfig
 from leap.eip import constants as eipconstants
 from leap.eip import exceptions as eipexceptions
 from leap.eip import specs as eipspecs
+from leap.util.certs import get_mac_cabundle
 from leap.util.fileutil import mkdir_p
 from leap.util.web import get_https_domain_and_port
 from leap.util.misc import null_check
@@ -165,13 +167,15 @@ class ProviderCertChecker(object):
         if autocacert and verify is True and self.cacert is not None:
             logger.debug('verify cert: %s', self.cacert)
             verify = self.cacert
+        if sys.platform == "darwin": 
+            verify = get_mac_cabundle()
         logger.debug('checking https connection')
         logger.debug('uri: %s (verify:%s)', uri, verify)
+
         try:
             self.fetcher.get(uri, verify=verify)
 
-        except requests.exceptions.SSLError:  # as exc:
-            logger.error("SSLError")
+        except requests.exceptions.SSLError as exc:
             raise eipexceptions.HttpsBadCertError
 
         except requests.exceptions.ConnectionError:
@@ -448,9 +452,15 @@ class EIPConfigChecker(object):
                 domain = config.get('provider', None)
             uri = self._get_provider_definition_uri(domain=domain)
 
+        if sys.platform == "darwin": 
+            verify = get_mac_cabundle()
+        else:
+            verify = True
+
         self.defaultprovider.load(
             from_uri=uri,
-            fetcher=self.fetcher)
+            fetcher=self.fetcher,
+            verify=verify)
         self.defaultprovider.save()
 
     def fetch_eip_service_config(self, skip_download=False,
diff --git a/src/leap/gui/firstrun/providerselect.py b/src/leap/gui/firstrun/providerselect.py
index 28fb829c..ccecd519 100644
--- a/src/leap/gui/firstrun/providerselect.py
+++ b/src/leap/gui/firstrun/providerselect.py
@@ -287,8 +287,6 @@ class SelectProviderPage(InlineValidationPage):
                 wizard.set_providerconfig(
                     eipconfigchecker.defaultprovider.config)
             except requests.exceptions.SSLError:
-                # XXX we should have catched this before.
-                # but cert checking is broken.
                 return self.fail(self.tr(
                     "Could not get info from provider."))
             except requests.exceptions.ConnectionError:
diff --git a/src/leap/util/certs.py b/src/leap/util/certs.py
new file mode 100644
index 00000000..304db08a
--- /dev/null
+++ b/src/leap/util/certs.py
@@ -0,0 +1,17 @@
+import os
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+def get_mac_cabundle():
+    # hackaround bundle error
+    # XXX this needs a better fix!
+    f = os.path.split(__file__)[0]
+    sep = os.path.sep
+    f_ = sep.join(f.split(sep)[:-2])
+    verify = os.path.join(f_, 'cacert.pem')
+    #logger.error('VERIFY PATH = %s' % verify)
+    exists = os.path.isfile(verify)
+    #logger.error('do exist? %s', exists)
+    return verify