another issue to fix with the FAS2 switch: Kojis ssl certificate

Mike McGrath mmcgrath at redhat.com
Tue Mar 11 21:21:36 UTC 2008 

On Tue, 11 Mar 2008, Mike Bonnet wrote:

> On Tue, 2008-03-11 at 21:52 +0100, Till Maas wrote:
> > On Tue March 11 2008, Dennis Gilmore wrote:
> > > On Tuesday 11 March 2008, Till Maas wrote:
> > > > Hiyas,
> > > >
> > > > now that everyone needs to change his password, can we now also deploy
> > > > the new certifcate for koji? This will make it possible to verify whether
> > > > or not one can trust the certificate for koji and the ticket[1] is now 7
> > > > months old, i.e. about a full Fedora release cycle. Therefore I guess
> > > > there won't be a better time than now.
> > > >
> > > > Regards,
> > > > Till
> > > >
> > > > [1] https://fedorahosted.org/fedora-infrastructure/ticket/88
> > >
> > > No,  Because it will break user certs.  To make it work would require that
> > > users all get entirely new server cert files.  We need to redo our entire
> > > CA system.  We also need to consider  the ramifications for Secondary
> > > arches, deploying a new CA  would require each and every Secondary arch to
> > > purchase a cert from the same CA.  or somebody to purchase a cert that
> > > covered *.koji.fedoraproject.org from the same CA.
> > >
> > > we are looking at deploying the hub on a separate box from the frontend
> > > which would allow us to do what you are wanting  but would not look after
> > > secondary arches.
> >
> > How about making the hub (I assume this is only used by automated processes
> > and not manually) listen on a different port than 443? Then the web interface
> > could use the new well know certificate. The automated processes the internal
> > ones, where imho using a own ca does not hurt. Also using a different port
> > should be only a matter of configuring it once.
> > The secondary arch instances could then use a cacert[0] certificate, which are
> > free and are trusted by some browsers already for the web interface.
>
> The Koji cli communicates with the hub for all operations, so it would
> require everyone to update their Koji config.  In addition, I'm sure
> running ssl on a non-standard port would mess with some people's
> proxy/firewall setups.  I don't think this is the best solution.
>

It's really not that we don't want to do this.  It's a lot of work with
high potential for breakage and annoyance to everyone and the benefit to most
people is unclear.

	-Mike

More information about the infrastructure mailing list