I’m sure your troubles all reside within your SSL certificates. They’re crucial for the
authentication both of client and of server. Unless I’m mistaken, the only values in the
certificates that you absolutely must get correct are the CN in each of the certificates.
Be sure to stop and think about what the certificate is going to authenticate. If it’s to
authenticate a server to a client, the CN must have the FQDN of the host providing that
service. If it’s to authenticate a client, be it you or a kojid instance or kojira, the
CN must match the user name Koji has in its database for that user.
I don’t want to make the problem harder for you by having to make other things work too,
but you might get some insight into what’s going on by eliminating the koji client for a
bit and focus on the just the SSL in your current sticking point. The koji hub is telling
you it doesn’t know you or believe you to be who you purport to be – i.e., it’s failing
client authentication. So you might try something like:
openssl s_client -CAfile ~/.koji/clientca.crt -cert ~/.koji/client.crt -connect
koji.example.com:443
(I’m no openssl expert by any stretch of the imagination and the above is based loosely on
this[1] but it works for me, albeit with my hostname, of course.)
[1]
http://stackoverflow.com/questions/17203562/openssl-s-client-cert-proving...
PS. I can tell you that whatever expertise you gain with testing SSL authentication here
will be well earned because you have much more of the same ahead of you.
--
John Florian
From: buildsys-bounces(a)lists.fedoraproject.org
[mailto:buildsys-bounces@lists.fedoraproject.org] On Behalf Of gssxd(a)qq.com
Sent: Monday, April 27, 2015 19:37
To: buildsys
Subject: how to setup the koji build system?
hi, John Florian
Thanks for your information. I am using rhel7, so I have to change the default_md to
sha256.
However, I still can't setup the koji build now. The new error show me is that:
[kojiadmin@koji ~]$ koji call getLoggedInUser
ProtocolError: <ProtocolError for
koji.example.com/kojihub/ssllogin: 403
Forbidden>
Some additional info:
[kojiadmin@koji ~]$ hostname -f
koji.example.com
[kojiadmin@koji ~]$ ping
koji.example.com
PING
koji.example.com (10.9.2.35) 56(84) bytes of data.
64 bytes from
koji.example.com (10.9.2.35): icmp_seq=1 ttl=64 time=0.034 ms
64 bytes from
koji.example.com (10.9.2.35): icmp_seq=2 ttl=64 time=0.050 ms
The setting in /etc/koji.conf:
;configuration for koji cli tool
;url of XMLRPC server
server =
http://koji.example.com/kojihub
Could you please give me any suggestions ?
Thanks very much.
________________________________
谢谢
郭双拴
From: buildsys-request<mailto:buildsys-request@lists.fedoraproject.org>
Date: 2015-04-27 21:47
To: buildsys<mailto:buildsys@lists.fedoraproject.org>
Subject: buildsys Digest, Vol 122, Issue 21
Send buildsys mailing list submissions to
buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org>
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.fedoraproject.org/mailman/listinfo/buildsys
or, via email, send a message with subject or body 'help' to
buildsys-request@lists.fedoraproject.org<mailto:buildsys-request@lists.fedoraproject.org>
You can reach the person managing the list at
buildsys-owner@lists.fedoraproject.org<mailto:buildsys-owner@lists.fedoraproject.org>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of buildsys digest..."
Today's Topics:
1. RE: how to setup the koji build system? (John Florian)
2. RE: how to setup the koji build system? (John Florian)
----------------------------------------------------------------------
Message: 1
Date: Mon, 27 Apr 2015 13:42:09 +0000
From: John Florian <john.florian@dart.biz<mailto:john.florian@dart.biz>>
To: Discussion of Fedora build system
<buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org>>
Subject: RE: how to setup the koji build system?
Message-ID:
<D83E0BFAF05CE549BA2A87BB89D443CAA59878DC@USILCHEXMBX02.solo.com<mailto:D83E0BFAF05CE549BA2A87BB89D443CAA59878DC@USILCHEXMBX02.solo.com>>
Content-Type: text/plain; charset="utf-8"
-----Original Message-----
From:
buildsys-bounces@lists.fedoraproject.org<mailto:buildsys-bounces@lists.fedoraproject.org>
[mailto:buildsys-
bounces@lists.fedoraproject.org<mailto:bounces@lists.fedoraproject.org>] On Behalf
Of Sérgio Basto
Sent: Thursday, April 23, 2015 10:41
To: buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org>
Subject: Re: how to setup the koji build system?
On Qui, 2015-04-23 at 09:39 +0800, gssxd@qq.com<mailto:gssxd@qq.com> wrote:
> Hello,
> I want to build my own linux based on the koji build system . However
> the koji wiki page seems to be a little bit out-of date. I followed
> the instructions to go through all of the steps, but it alway show me
> some failures.
> I am using the koji-1.9.0, and I saw the wiki page was refering to the
> version 1.3.1.
> Is there anybody has any suggestion about the setup information? or
> anyone can provide me the latest document about how to build the koji
> system?
I follow this page:
http://www.devops-blog.net/koji/koji-rpm-build-system-installation-part-1
also a little bit out-of date, but on comments we have good tips, to
solve the not updated things .
I too have just gone through a Koji setup -- my 2nd time actually, I didn't adopt it
after all the work the 1st time. Those pages are helpful, but I found I really needed a
combination of the following to get going:
https://fedoraproject.org/wiki/Koji/ServerHowTo
https://wiki.nikhef.nl/grid/Koji_Testbed
and for Sigul:
http://zenit.senecac.on.ca/wiki/index.php/Sigul_Signing_Server_Setup
I did lean on the devops-blog pages too that you already mentioned.
I also found it impossible to get going without adding numerous debug messages of my own
into the koji code. I encountered too many exceptions that failed to print any useful
details about the current state, especially when I was trying to decode the magic of the
proper setup for building from SCM. I don't fault the code or its authors though, it
was created to serve a purpose for the Fedora Project and that it does. But, it's far
from having the polish and documentation of the more popular FOSS packages that get so
much more attention.
--
John Florian
------------------------------
Message: 2
Date: Mon, 27 Apr 2015 13:47:19 +0000
From: John Florian <john.florian@dart.biz<mailto:john.florian@dart.biz>>
To: Discussion of Fedora build system
<buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org>>
Subject: RE: how to setup the koji build system?
Message-ID:
<D83E0BFAF05CE549BA2A87BB89D443CAA59878F6@USILCHEXMBX02.solo.com<mailto:D83E0BFAF05CE549BA2A87BB89D443CAA59878F6@USILCHEXMBX02.solo.com>>
Content-Type: text/plain; charset="utf-8"
I’d bet you have the wrong value for the CN (CommonName) in one of your certificates and
given what you’ve shown it’s likely your user certificate. Make sure the CN there matches
the user ID you created in the Koji DB.
--
John Florian
From:
buildsys-bounces@lists.fedoraproject.org<mailto:buildsys-bounces@lists.fedoraproject.org>
[mailto:buildsys-bounces@lists.fedoraproject.org] On Behalf Of
gssxd@qq.com<mailto:gssxd@qq.com>
Sent: Monday, April 27, 2015 01:12
To: buildsys
Subject: how to setup the koji build system?
hi,
I followed the wiki page:
https://fedoraproject.org/wiki/Koji/ServerHowTo
also, the page that Sérgio M. B. pointed out
http://www.devops-blog.net/koji/koji-rpm-build-system-installation-part-1
but, so far I still can't get it installed.
The failure I am seeing as following:
[root@www koji]# su kojiadmin
[kojiadmin@www koji]$ koji call getLoggedInUser
Error: [('asn1 encoding routines', 'ASN1_item_verify', 'unknown
message digest algorithm'), ('SSL routines',
'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
[kojiadmin@www koji]$
Could you please give any idea? how to fix it?
________________________________
Thanks
Suney
From: buildsys-request<mailto:buildsys-request@lists.fedoraproject.org>
Date: 2015-04-24 20:00
To: buildsys<mailto:buildsys@lists.fedoraproject.org>
Subject: buildsys Digest, Vol 122, Issue 18
Send buildsys mailing list submissions to
buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org%3cmailto:buildsys@lists.fedoraproject.org>>
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.fedoraproject.org/mailman/listinfo/buildsys
or, via email, send a message with subject or body 'help' to
buildsys-request@lists.fedoraproject.org<mailto:buildsys-request@lists.fedoraproject.org<mailto:buildsys-request@lists.fedoraproject.org%3cmailto:buildsys-request@lists.fedoraproject.org>>
You can reach the person managing the list at
buildsys-owner@lists.fedoraproject.org<mailto:buildsys-owner@lists.fedoraproject.org<mailto:buildsys-owner@lists.fedoraproject.org%3cmailto:buildsys-owner@lists.fedoraproject.org>>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of buildsys digest..."
Today's Topics:
1. Re: how to setup the koji build system? (Didier Fabert)
2. Re: how to setup the koji build system? (Sérgio Basto)
----------------------------------------------------------------------
Message: 1
Date: Thu, 23 Apr 2015 15:42:01 +0200
From: Didier Fabert
<didier.fabert@gmail.com<mailto:didier.fabert@gmail.com<mailto:didier.fabert@gmail.com%3cmailto:didier.fabert@gmail.com>>>
To: Discussion of Fedora build system
<buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org%3cmailto:buildsys@lists.fedoraproject.org>>>
Subject: Re: how to setup the koji build system?
Message-ID:
<2589606.sBjckj0VDC@didier.b2pweb.com<mailto:2589606.sBjckj0VDC@didier.b2pweb.com<mailto:2589606.sBjckj0VDC@didier.b2pweb.com%3cmailto:2589606.sBjckj0VDC@didier.b2pweb.com>>>
Content-Type: text/plain; charset="us-ascii"
Hi,
Do you talking about this wiki page:
https://fedoraproject.org/wiki/Koji/ServerHowTo ?
I recently upgrade my personnal koji from el6 to el7 and all rock's without
any problem (excepting sigul but it's a another story).
What are your failures exactly ? During install, bootstrap or first use ?
On Thursday 23 April 2015 09:39:38
gssxd@qq.com<mailto:gssxd@qq.com<mailto:gssxd@qq.com%3cmailto:gssxd@qq.com>>
wrote:
Hello,
I want to build my own linux based on the koji build system . However the
koji wiki page seems to be a little bit out-of date. I followed the
instructions to go through all of the steps, but it alway show me some
failures.
I am using the koji-1.9.0, and I saw the wiki page was refering
to the version 1.3.1. Is there anybody has any suggestion about the setup
information? or anyone can provide me the latest document about how to
build the koji system?
Thanks very much.
Thanks
Suney
------------------------------
Message: 2
Date: Thu, 23 Apr 2015 15:40:52 +0100
From: Sérgio Basto
<sergio@serjux.com<mailto:sergio@serjux.com<mailto:sergio@serjux.com%3cmailto:sergio@serjux.com>>>
To:
buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org%3cmailto:buildsys@lists.fedoraproject.org>>
Subject: Re: how to setup the koji build system?
Message-ID:
<1429800052.29728.14.camel@serjux.com<mailto:1429800052.29728.14.camel@serjux.com<mailto:1429800052.29728.14.camel@serjux.com%3cmailto:1429800052.29728.14.camel@serjux.com>>>
Content-Type: text/plain; charset="ISO-8859-15"
On Qui, 2015-04-23 at 09:39 +0800,
gssxd@qq.com<mailto:gssxd@qq.com<mailto:gssxd@qq.com%3cmailto:gssxd@qq.com>>
wrote:
Hello,
I want to build my own linux based on the koji build system . However
the koji wiki page seems to be a little bit out-of date. I followed
the instructions to go through all of the steps, but it alway show me
some failures.
I am using the koji-1.9.0, and I saw the wiki page was refering to the
version 1.3.1.
Is there anybody has any suggestion about the setup information? or
anyone can provide me the latest document about how to build the koji
system?
I follow this page:
http://www.devops-blog.net/koji/koji-rpm-build-system-installation-part-1
also a little bit out-of date, but on comments we have good tips, to
solve the not updated things .
Best regards,
--
Sérgio M. B.
------------------------------
--
buildsys mailing list
buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org%3cmailto:buildsys@lists.fedoraproject.org>>
https://admin.fedoraproject.org/mailman/listinfo/buildsys
End of buildsys Digest, Vol 122, Issue 18
*****************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<
http://lists.fedoraproject.org/pipermail/buildsys/attachments/20150427/00...
------------------------------
--
buildsys mailing list
buildsys@lists.fedoraproject.org<mailto:buildsys@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/buildsys
End of buildsys Digest, Vol 122, Issue 21
*****************************************