Mailinglist Archive: opensuse-buildservice (272 mails)

< Previous Next >
Re: [opensuse-buildservice] OBS 1.3 Privately signed certificate and osc
  • From: "Bernhard M. Wiedemann" <bernhardout@xxxxxxxx>
  • Date: Thu, 19 Apr 2012 06:51:16 +0200
  • Message-id: <4F8F99C4.9050603@lsmod.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 18.04.2012 22:51, schrieb 686f6c6d:
On Wed, Apr 4, 2012 at 16:19, Dominig ar Foll (Intel OTC)
<dominig.arfoll@xxxxxxxxx> wrote:
Hello,

having just updated to OBS 1.3, my API is now running under https
(not a bad idea). I have created a PRIVATE certificate following
the README. [...] ---------------------- I see that with osc
(version 0.134.1)

if the privately signed certificate is create with a Common Name
(CN) which is not the server name, osc refuses to chat with the
API. [...]

That is very strange as it seems that when the certificate with
an official root, the common name is not critical.

Any clue how to overcome that issue ?

I haven't looked into this recently, but I think the problem sits
deeper and has nothing to do with the CN, but with the fact that
the CA of your selfsigned certificate is untrusted. AFAIK osc uses
m2crypto for SSL and in theory m2crypto can be told to trust your
CA (that's what the internet says, at least), but I was unable to
find out (from the m2crypto docs and code and the osc code): a)
what dotfile I have to create for m2crypto; b) what data and format
exactly has to go into there; c) if osc supports this as-is.


Given the fact that creating a selfsigned certificate is part of
README.SETUP, I strongly agree that this should be documented
and/or fixed. AFAICT, the docs as they're now are only useful if
you avoid SSL altogether or have a trusted CA.

I would guess, that m2crypto uses the system's CA storage in
/etc/ssl/certs/

so you could do with your private CA the equivalent of
zypper install ca-certificates-cacert

I agree, this should be part of the documentation

Ciao
Bernhard M.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+PmcQACgkQSTYLOx37oWTyMQCg5oTHTJ7kB/PAD1KsA1dh/t8K
TZIAnRRKhINSgC+26Jc+C2mJW+M6xhYe
=fSOk
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >