See merge request !9Co-authored-by: Julien Muchembled <jm@nexedi.com>

This is possible after slapcache!7

Actually totally revert 08b53cb3 since
there is no sense to get option from a file which is often inexisting
where the user generate its key.

Also add a warning message at the end.

See commit 08b53cb3.

A signature-certificate-file configuration
that is not used elsewhere is confusing.

This fixes the following error on Python 3:

  TypeError: startswith first arg must be bytes or a tuple of bytes, not str

url would be more useful than file+urlmd5
(slapos.buildout will be changed this way)

However, prevent the user from passing empty metadata inadvertently.
Of course, that won't reject dummy information but it's unlikely there's
nothing useful to add.

Move `_verifySignatureInCertificateList` to a public method

Note: Forgotten commit.

Append loaded_certificate in the try block, so it does not result with
"UnboundLocalError: local variable 'loaded_certificate' referenced before assignment"

python 3 compatibility

When list of signature certificates is processed any of them can result
with not using a cache while download, which is bad situation.

Just ignore bad certificates while checking the list, so any other good
ones can be used.

/reviewed-on !4

"context.set_ciphers('DEFAULT:@SECLEVEL=1')" was introduced in
ab3b2c3b but for very old SSL we can have the
follwoing error:

Traceback (most recent call last):
  File "/usr/local/bin/networkcache-upload", line 9, in <module>
    load_entry_point('slapos.libnetworkcache==0.19', 'console_scripts', 'networkcache-upload')()
  File "/usr/local/lib/python2.7/dist-packages/slapos/libnetworkcache.py", line 489, in cmd_upload
    **dict(x.split('=', 1) for x in args.meta))
  File "/usr/local/lib/python2.7/dist-packages/slapos/libnetworkcache.py", line 341, in upload
    'Content-Type': 'application/octet-stream'})
  File "/usr/local/lib/python2.7/dist-packages/slapos/libnetworkcache.py", line 264, in _request
    context.set_ciphers('DEFAULT:@SECLEVEL=1') # XXX
ssl.SSLError: ('No cipher can be selected.',)

/reviewed-on !3

Add download auto retrying function. This is necessary because downloading binary cache often fails.

Traceback (most recent call last):
  ...
  File "/usr/lib/python3.7/http/client.py", line 1376, in __init__
    context.load_cert_chain(cert_file, key_file)
ssl.SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3824)

As we can see today:

AssertionError: ' 2119 ' not found in 'notAfter=Dec 14 00:54:31 2118 GMT\n')

Since OpenSSL 1.1 those broken certificates became a problem during testing,
so regenerate them with new OpenSSL.

/reviewed-on nexedi/slapos.libnetworkcache!2