another issue to fix with the FAS2 switch: Kojis ssl certificate

Till Maas opensource at till.name
Tue Mar 11 20:52:13 UTC 2008


On Tue March 11 2008, Dennis Gilmore wrote:
> On Tuesday 11 March 2008, Till Maas wrote:
> > Hiyas,
> >
> > now that everyone needs to change his password, can we now also deploy
> > the new certifcate for koji? This will make it possible to verify whether
> > or not one can trust the certificate for koji and the ticket[1] is now 7
> > months old, i.e. about a full Fedora release cycle. Therefore I guess
> > there won't be a better time than now.
> >
> > Regards,
> > Till
> >
> > [1] https://fedorahosted.org/fedora-infrastructure/ticket/88
>
> No,  Because it will break user certs.  To make it work would require that
> users all get entirely new server cert files.  We need to redo our entire
> CA system.  We also need to consider  the ramifications for Secondary
> arches, deploying a new CA  would require each and every Secondary arch to
> purchase a cert from the same CA.  or somebody to purchase a cert that
> covered *.koji.fedoraproject.org from the same CA.
>
> we are looking at deploying the hub on a separate box from the frontend
> which would allow us to do what you are wanting  but would not look after
> secondary arches.

How about making the hub (I assume this is only used by automated processes 
and not manually) listen on a different port than 443? Then the web interface 
could use the new well know certificate. The automated processes the internal 
ones, where imho using a own ca does not hurt. Also using a different port 
should be only a matter of configuring it once.
The secondary arch instances could then use a cacert[0] certificate, which are 
free and are trusted by some browsers already for the web interface.

> We currently use 2 different CA's in our setup.  One that is used only for
> user certs and one that is used  for the builders and frontend.   I would
> like to move to a new Single CA setup.  In this world  when you import your
> fedora user cert for browser authentication you would automatically
> recognise the CA.  though this would only be valid for Fedora contributors.

Is this only about Koji or Fedoraprojet in general? Imho it is better to use a 
well known CA for the frontend (website) and an own one for internal stuff 
instead of using an own one for everything.

Regards,
Till

[0] https://cacert.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080311/3f7dc725/attachment.bin 


More information about the infrastructure mailing list