another issue to fix with the FAS2 switch: Kojis ssl certificate
Till Maas
opensource at till.name
Wed Mar 12 10:26:28 UTC 2008
On Tue March 11 2008, Dennis Gilmore wrote:
> On Tuesday 11 March 2008, Till Maas wrote:
> > [1] https://fedorahosted.org/fedora-infrastructure/ticket/88
>
> No, Because it will break user certs. To make it work would require that
> users all get entirely new server cert files. We need to redo our entire
Making the user adjust his koji config for this is afaics unavoidable, except
when nothing is changed. To make future transitions easier, the ca could be
bundled into the fedora-packager package, so that the ca is updated
automatically when needed.
> CA system. We also need to consider the ramifications for Secondary
> arches, deploying a new CA would require each and every Secondary arch to
> purchase a cert from the same CA. or somebody to purchase a cert that
> covered *.koji.fedoraproject.org from the same CA.
I do not see a reason for this, what does need this? According to the
pyOpenSSL manual[1] the koji client can load several ca files to authenticate
the server certificate, because the pem file that is loaded with
load_client_ca can contain several certificates, e.g. the current one and the
Equifax one.
Regards,
Till
[1] http://pyopenssl.sourceforge.net/pyOpenSSL.ps
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080312/b9f253d9/attachment.bin
More information about the infrastructure
mailing list