Hi Miroslav,
On 15-11-2021 20:20, Miroslav Suchý wrote: [snip]
Is there a way to specify the client certificate + key in a config somewhere so they get picked up automatically?
Yes, there is a way:
https://rpm-software-management.github.io/mock/feature-gpg-and-ssl
Thank you (both) for your feedback. And for mock. I could not get your nor Pat's suggestion to work with a self-signed certificate and key. So I came up with the attached patch. I'll be happy to create a PR/MR if this is something you would consider adding?
Quick explanation:
in /etc/mock/<your_config>.cfg add
config_opts['ssl_extra_certs'] = [ '/etc/pki/tls/certs/client.crt', '/etc/pki/tls/certs/', '/etc/pki/tls/private/client.key', '/etc/pki/tls/private/' ... ]
Also add the required sslclientcert and sslclientkey options to your private repo config in the same file, e.g.:
[private] name=My private repo baseurl=https://example.org/repo/private/$releasever/$basearch/ module_hotfixes=true enabled=1 sslclientcert=/etc/pki/tls/certs/client.crt sslclientkey=/etc/pki/tls/private/client.key sslcacert=...
When mock runs it will copy client.crt and client.key to their destination directories in both the bootstrap and final chroot so that dnf can send the client cert to the webserver (nginx: ssl_verify_client: on;) to get access.
Best, Patrick