Hi Miroslav,
On 15-11-2021 20:20, Miroslav Suchý wrote:
[snip]
> Is there a way to specify the client certificate + key in a
config
> somewhere so they get picked up automatically?
Yes, there is a way:
https://rpm-software-management.github.io/mock/feature-gpg-and-ssl
Thank you (both) for your feedback. And for mock. I could not get your
nor Pat's suggestion to work with a self-signed certificate and key. So
I came up with the attached patch. I'll be happy to create a PR/MR if
this is something you would consider adding?
Quick explanation:
in /etc/mock/<your_config>.cfg add
config_opts['ssl_extra_certs'] = [
'/etc/pki/tls/certs/client.crt', '/etc/pki/tls/certs/',
'/etc/pki/tls/private/client.key', '/etc/pki/tls/private/'
...
]
Also add the required sslclientcert and sslclientkey options to your
private repo config in the same file, e.g.:
[private]
name=My private repo
baseurl=https://example.org/repo/private/$releasever/$basearch/
module_hotfixes=true
enabled=1
sslclientcert=/etc/pki/tls/certs/client.crt
sslclientkey=/etc/pki/tls/private/client.key
sslcacert=...
When mock runs it will copy client.crt and client.key to their
destination directories in both the bootstrap and final chroot so that
dnf can send the client cert to the webserver (nginx: ssl_verify_client:
on;) to get access.
Best,
Patrick