On Wednesday, November 17, 2021 12:08:27 PM CET patrick+buildsys@laimbock.com wrote:
Hi Miroslav,
Thank you for your feedback.
On 17-11-2021 11:28, Miroslav Suchý wrote:
Dne 16. 11. 21 v 19:37 patrick+buildsys@laimbock.com napsal(a):
Thank you (both) for your feedback. And for mock. I could not get your nor Pat's suggestion to work with a self-signed certificate and key.
Did you updated the ca-bundle.crt?
I did not because AFAICT the ca-bundle is for CA certificates and not for a client (non-CA) certificate and key.
You can get an inspiration from rhel chroots, where also client pem files are used for DNF (curl) to authenticate against RHEL CDN: https://github.com/rpm-software-management/mock/blob/d081bc113e3c6af9b801675... Perhaps you can re-use that directory?
Still, the public certificate should go to the bundle, I tend to agree with @msuchy.
Pavel
$ man update-ca-trust update-ca-trust - manage consolidated and dynamic configuration of CA certificates and associated trust
I only see CA certificates mentioned in that manpage, not non-CA/client certificates and keys. On the host the ca-bundle.crt is public (0644) and I'd rather not put a client.key in there. IMHO this does not seem the appropriate place or mechanism for non-CA certificates.
So I came up with the attached patch. I'll be happy to create a PR/MR if this is something you would consider adding?
PR is always welcomed. But before we add something new I will want to know why the current solution does not work.
I guess it works but IMHO it's just not a proper solution to mix CAs with client certificates and keys.
Best, Patrick _______________________________________________ buildsys mailing list -- buildsys@lists.fedoraproject.org To unsubscribe send an email to buildsys-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraproject.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure