Martin Sourada wrote:
On Fri, 2008-08-22 at 10:20 -0500, Dennis Gilmore wrote:
> Effective immediately we have replaced the CA that is in use for
>
cvs.fedoraproject.org and
koji.fedoraproject.org This effects uploading to
> lookaside cache and building packages.
>
> There are some manual steps that everyone needs to do to be able to use the
> systems again.
>
> they are
> login to
https://admin.fedoraproject.org/accounts/ and click on the "Download
> a client-side certificate" link at the bottom of the home page. save the
> output to ~/.fedora.cert
>
> rm ~/.fedora-server-ca.cert ~/.fedora-upload-ca.cert
> fedora-packager-setup
>
> then open your browser got to Edit -> Preferences -> Advanced -> Encryption
->
> View Certificates -> Your Certificates
>
> Select your existing Certificate and remove it
> then import the new one from ~/fedora-browser-cert.p12 you will be able to
> log in to koji
>
>
I did this and I am still not able to log in to koji (trying with epiphany and firefox).
This error pops out:
Secure Connection Failed
An error occurred during a connection to
koji.fedoraproject.org.
Peer does not recognize and trust the CA that issued your certificate.
(Error code: ssl_error_unknown_ca_alert)
The page you are trying to view can not be shown because the
authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem.
Is it me, or is it koji problem?
Thanks,
Martin
Parts of the Fedora infrastructure do not use certificates issued by a
CA already trusted by Firefox, but from Fedora's own certificate authority.
If you decide to trust Fedora to issue certificates that can identify
web sites, you could decide to import that CA cert to your set of
trusted roots.
You could go to
https://admin.fedoraproject.org/fingerprints and install
the CA certificate available from the bottom of that page.
(Unfortunately the mime type currently is not application/x-x509-ca-cert
so you have to safe that file, and then open it, you might even have to
go to certificate manager and open the authorities tab, then import from
there.)
You can confirm the origin of the certificate by comparing the
fingerprint presented by Firefox with the one listed on the fingerprints
page (at least you'll know that the fingerprints page and the CA are
controlled by the same people).
Hope that helps,
Kai