Hi, How do I get a client certificate + key into the mock chroot? Mock needs access to a repo which requires the client to send its certificate (nginx with ssl_verify_client on;). If I copy the certificate and key to /etc/pki/tls/{certs,private} in the bootstrap directory then the chroot picks them up and the repo is available. Is there a way to specify the client certificate + key in a config somewhere so they get picked up automatically? Thanks! Best, Patrick _______________________________________________ buildsys mailing list -- buildsys(a)lists.fedoraproject.org To unsubscribe send an email to buildsys-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...   List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...   List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedoraproject....   Do not reply to spam on the list, report it: https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_fedora-2Di...  

Hi, How do I get a client certificate + key into the mock chroot? Mock needs access to a repo which requires the client to send its certificate (nginx with ssl_verify_client on;). If I copy the certificate and key to /etc/pki/tls/{certs,private} in the bootstrap directory then the chroot picks them up and the repo is available. Is there a way to specify the client certificate + key in a config somewhere so they get picked up automatically?

Thank you (both) for your feedback. And for mock. I could not get your nor Pat's suggestion to work with a self-signed certificate and key.

So I came up with the attached patch. I'll be happy to create a PR/MR if this is something you would consider adding?

Hi Miroslav, Thank you for your feedback. On 17-11-2021 11:28, Miroslav Suchý wrote: > Dne 16. 11. 21 v 19:37 patrick+buildsys(a)laimbock.com napsal(a): >> Thank you (both) for your feedback. And for mock. I could not get your >> nor Pat's suggestion to work with a self-signed certificate and key. > > Did you updated the ca-bundle.crt? > > https://unix.stackexchange.com/a/445884/100010 I did not because AFAICT the ca-bundle is for CA certificates and not for a client (non-CA) certificate and key.

$ man update-ca-trust update-ca-trust - manage consolidated and dynamic configuration of CA certificates and associated trust I only see CA certificates mentioned in that manpage, not non-CA/client certificates and keys. On the host the ca-bundle.crt is public (0644) and I'd rather not put a client.key in there. IMHO this does not seem the appropriate place or mechanism for non-CA certificates. >> So I came up with the attached patch. I'll be happy to create a PR/MR >> if this is something you would consider adding? > > PR is always welcomed. But before we add something new I will want to > know why the current solution does not work. I guess it works but IMHO it's just not a proper solution to mix CAs with client certificates and keys. Best, Patrick _______________________________________________ buildsys mailing list -- buildsys(a)lists.fedoraproject.org To unsubscribe send an email to buildsys-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraprojec... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Hi Pavel, Thank you for your feedback. On 18-11-2021 10:17, Pavel Raiskup wrote: >> I did not because AFAICT the ca-bundle is for CA certificates and not >> for a client (non-CA) certificate and key. > > You can get an inspiration from rhel chroots, where also client pem files are > used for DNF (curl) to authenticate against RHEL CDN: > https://github.com/rpm-software-management/mock/blob/d081bc113e3c6af9b801... > Perhaps you can re-use that directory? Sure, I could re-use /etc/pki/entitlement for non-entitlement certificates. But why put client certs & keys in an entitlement directory when you can put them in the obvious (and IMHO correct) location? client.pem -> /etc/pki/tls/certs/ client.key -> /etc/pki/tls/private/

> Still, the public certificate should go to the bundle, I tend to agree with > @msuchy. I would agree if you were talking about a *CA* certificate? For non-CA certificates the ca-bundle is IMHO not the proper place. If on RHEL & Fedora hosts these default locations are used: CA certificates -> ca-bundle RHEL entitlements -> /etc/pki/entitlement/ Public client/server certificates -> /etc/pki/tls/certs/ Private client/server certificates -> /etc/pki/tls/private/ then isn't it logical to copy that behavior into the chroot?

Best, Patrick _______________________________________________ buildsys mailing list -- buildsys(a)lists.fedoraproject.org To unsubscribe send an email to buildsys-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraprojec... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

On 18-11-2021 14:50, Pavel Raiskup wrote: > On Thursday, November 18, 2021 1:35:29 PM CET patrick+buildsys(a)laimbock.com wrote: [snip] > You wrote that your "mock needs an access to repos". So I naturally thought > that we are talking about something like the entitlement key+cert pair (which is > quite a new thing in mock anyways, and the only chroot using that is RHEL, and > ... /etc/pkg/entitlement is not a bad place). Though .... Heh now I see your point. I was not talking about RHEL entitlements. I totally agree that /etc/pki/entitlement/ is not a bad place for RHEL repo entitlement certificates. It's a great place :-) [snip] >> If on RHEL & Fedora hosts these default locations are used: >> >> CA certificates -> ca-bundle >> RHEL entitlements -> /etc/pki/entitlement/ >> Public client/server certificates -> /etc/pki/tls/certs/ >> Private client/server certificates -> /etc/pki/tls/private/ >> >> then isn't it logical to copy that behavior into the chroot? > > ... if for any reason you can't or don't want to use that, it's OK - I think > patches are welcome, and I bet that the current mock support is really RHEL-only > oriented, meaning that smaller or bigger patch would be needed anyway ;) My use case is that some (non-RHEL) repos are private and require a client certificate to gain access. That's why I wrote the patch. Works: Mock -> public repos like Fedora & CentOS Works: Mock -> RHEL repos requiring an entitlement Works: Mock + patch -> public and private repos via cert & key in standard locations What should be different ("smaller or bigger") about the patch? I'll be happy to try.

> Happy hacking! Thanks :-) Best, Patrick _______________________________________________ buildsys mailing list -- buildsys(a)lists.fedoraproject.org To unsubscribe send an email to buildsys-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraprojec... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure