On 07/15/2010 10:12 AM, Matthew B Treinish wrote:
>
> I've upgraded all of koji including the hub and koji-web. I'm able to
> submit builds and use koji with the CLI the only thing that doesn't work is
> koji-web. I didn't change anything with the configurations from 1.3.2. I
> did run the database schema update script to transition the database schema
> from 1.3 to 1.4.
>
> I've posted the koji-web.conf:
>
http://pastebin.com/V8YkX5rD
>
> and kojihub.conf on:
>
http://pastebin.com/8t91PNZe
In your kojihub.conf try changing:
PythonOption KojiHubURL
https://localhost/kojihub
to:
PythonOption KojiHubURL
http://localhost/kojihub
The old ssl config requires client certs to be provided for every
https:// connection, but the web UI only does a full login (including
certs) on certain pages. Using plain http for general access to the hub
should resolve the issue. https will still be used for any actions that
modify state on the hub.
The other option is to update your ssl config.
This involves commenting out SSLVerifyClient and SSLVerifyDepth from
/etc/httpd/conf.d/ssl.conf and moving them into kojihub.conf and
kojiweb.conf.
The new entry in kojihub.conf would look like:
<Location /kojihub/ssllogin>
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</Location>
and the new entry in kojiweb.conf would look like:
<Location /koji/login>
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</Location>
These replace the existing <Location> entries in these 2 config files.
This configuration has the benefit of only requiring client certificate
exchange at login time, and not for every ssl request. This should
improve performance for daemons and web clients and reduce load on the hub.
Note that this ssl config change is not backward-compatible with
pre-1.4.0 koji clients, so you'll need to make sure all users are using
koji 1.4.0 or greater before making this change, or they will no longer
be able to authenticate via ssl.
Let me know if you run into any issues.
> -Matthew Treinish
>
>
>
> From: Mike Bonnet <mikeb(a)redhat.com>
>
> To: buildsys(a)lists.fedoraproject.org
>
> Date: 07/14/2010 04:20 PM
>
> Subject: Re: Trouble Upgrading Koji to v1.4.0
>
> Sent by: buildsys-bounces(a)lists.fedoraproject.org
>
>
>
>
>
>
> On 07/14/2010 05:09 PM, Matthew B Treinish wrote:
>>
>>
>> I have been playing around with a koji 1.3.2 server on my machine for the
>> past couple of weeks. Today I tried updating the server to v1.4.0 and am
>> having some difficulty getting the koji-web interface working. Koji-hub,
>> kojira, kojid, and the koji cli are working fine but koji-web won't run.
> I
>> have a mod_python traceback of the error:
>>
>>
>> Traceback (most recent call last):
>>
>> File "/usr/lib64/python2.6/site-packages/mod_python/importer.py",
line
>> 1537, in HandlerDispatch
>> default=default_handler, arg=req, silent=hlist.silent)
>>
>> File "/usr/lib64/python2.6/site-packages/mod_python/importer.py",
line
>> 1229, in _process_target
>> result = _execute_target(config, req, object, arg)
>>
>> File "/usr/lib64/python2.6/site-packages/mod_python/importer.py",
line
>> 1128, in _execute_target
>> result = object(arg)
>>
>> File "/usr/share/koji-web/lib/kojiweb/publisher.py", line 39, in
> handler
>> return mod_python.publisher.handler(req)
>>
>> File "/usr/lib64/python2.6/site-packages/mod_python/publisher.py",
line
>> 213, in handler
>> published = publish_object(req, object)
>>
>> File "/usr/share/koji-web/lib/kojiweb/publisher.py", line 34, in
>> publish_object
>> return old_publish_object(req, _genHTML(req, 'error.chtml'))
>>
>> File "/usr/share/koji-web/lib/kojiweb/util.py", line 69, in _genHTML
>> req._values['mavenEnabled'] = req._session.mavenEnabled()
>>
>> File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1468,
in
>> __call__
>> return self.__func(self.__name,args,opts)
>>
>> File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1698,
in
>> _callMethod
>> return proxy.__getattr__(name)(*args)
>>
>> File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__
>> return self.__send(self.__name, args)
>>
>> File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request
>> verbose=self.__verbose
>>
>> File "/usr/lib64/python2.6/xmlrpclib.py", line 1235, in request
>> self.send_content(h, request_body)
>>
>> File "/usr/lib64/python2.6/xmlrpclib.py", line 1349, in send_content
>> connection.endheaders()
>>
>> File "/usr/lib64/python2.6/httplib.py", line 868, in endheaders
>> self._send_output()
>>
>> File "/usr/lib64/python2.6/httplib.py", line 740, in _send_output
>> self.send(msg)
>>
>> File "/usr/lib64/python2.6/httplib.py", line 699, in send
>> self.connect()
>>
>> File "/usr/lib64/python2.6/httplib.py", line 1073, in connect
>> self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
>>
>> File "/usr/lib64/python2.6/ssl.py", line 350, in wrap_socket
>> suppress_ragged_eofs=suppress_ragged_eofs)
>>
>> File "/usr/lib64/python2.6/ssl.py", line 118, in __init__
>> self.do_handshake()
>>
>> File "/usr/lib64/python2.6/ssl.py", line 293, in do_handshake
>> self._sslobj.do_handshake()
>>
>> SSLError: [Errno 1] _ssl.c:480: error:14094410:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
>>
>> Everything was working fine in v1.3.2 so I'm at a loss at what could
> cause
>> the SSL certificate to fail after the upgrade. I'd appreciate any insight
>> into what I'm doing wrong.
>
> There were some SSL changes in 1.4.0, did you make those changes to your
> ssl.conf, kojihub.conf, and kojiweb.conf in /etc/httpd/conf.d? 1.4.0
> should continue to work with the old config if you haven't touched
> anything. Could you post your kojihub.conf and kojiweb.conf somewhere?
>
> Also, have you upgraded both the hub and web to 1.4.0?
> --
> buildsys mailing list
> buildsys(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/buildsys
>
>
>
>
>
> --
> buildsys mailing list
> buildsys(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/buildsys
--
buildsys mailing list
buildsys(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys