another issue to fix with the FAS2 switch: Kojis ssl certificate
Mike McGrath
mmcgrath at redhat.com
Tue Mar 11 21:34:45 UTC 2008
On Tue, 11 Mar 2008, Dennis Gilmore wrote:
> On Tuesday 11 March 2008, Till Maas wrote:
> > On Tue March 11 2008, Dennis Gilmore wrote:
> > > On Tuesday 11 March 2008, Till Maas wrote:
> > > > Hiyas,
> > > >
> > > > now that everyone needs to change his password, can we now also deploy
> > > > the new certifcate for koji? This will make it possible to verify
> > > > whether or not one can trust the certificate for koji and the ticket[1]
> > > > is now 7 months old, i.e. about a full Fedora release cycle. Therefore
> > > > I guess there won't be a better time than now.
> > > >
> > > > Regards,
> > > > Till
> > > >
> > > > [1] https://fedorahosted.org/fedora-infrastructure/ticket/88
> > >
> > > No, Because it will break user certs. To make it work would require
> > > that users all get entirely new server cert files. We need to redo our
> > > entire CA system. We also need to consider the ramifications for
> > > Secondary arches, deploying a new CA would require each and every
> > > Secondary arch to purchase a cert from the same CA. or somebody to
> > > purchase a cert that covered *.koji.fedoraproject.org from the same CA.
> > >
> > > we are looking at deploying the hub on a separate box from the frontend
> > > which would allow us to do what you are wanting but would not look after
> > > secondary arches.
> >
> > How about making the hub (I assume this is only used by automated processes
> > and not manually) listen on a different port than 443? Then the web
> > interface could use the new well know certificate. The automated processes
> > the internal ones, where imho using a own ca does not hurt. Also using a
> > different port should be only a matter of configuring it once.
> > The secondary arch instances could then use a cacert[0] certificate, which
> > are free and are trusted by some browsers already for the web interface.
>
> if we use CACert we would have ship it in the browsers we supply. currently
> no browser shipped with fedora does and if we did such we would use it for
> all services. and would require changes to all users koji configs. people
> who are not using fedora would be in the same situation as they are now.
> AFAIK only CentOS ships browsers with CACerts root cert.
>
Side note about this, I'm pretty sure if we do it we can't call "firefox"
"firefox" anymore.
-Mike
More information about the infrastructure
mailing list