On Wed, Apr 18, 2012 at 10:51:47PM +0200, 686f6c6d wrote:
On Wed, Apr 4, 2012 at 16:19, Dominig ar Foll (Intel OTC) <dominig.arfoll@fridu.net> wrote:
Hello,
having just updated to OBS 1.3, my API is now running under https (not a bad idea). I have created a PRIVATE certificate following the README. [...] ---------------------- I see that with osc (version 0.134.1)
if the privately signed certificate is create with a Common Name (CN) which is not the server name, osc refuses to chat with the API. [...]
That is very strange as it seems that when the certificate with an official root, the common name is not critical.
Any clue how to overcome that issue ?
I haven't looked into this recently, but I think the problem sits deeper and has nothing to do with the CN, but with the fact that the CA of your selfsigned certificate is untrusted. AFAIK osc uses m2crypto for SSL and in theory m2crypto can be told to trust your CA (that's what the internet says, at least), but I was unable to find out (from the m2crypto docs and code and the osc code): a) what dotfile I have to create for m2crypto; b) what data and format exactly has to go into there; c) if osc supports this as-is.
Given the fact that creating a selfsigned certificate is part of README.SETUP, I strongly agree that this should be documented and/or fixed. AFAICT, the docs as they're now are only useful if you avoid SSL altogether or have a trusted CA.
osc asks to store such a certificate in its local cert store when it is not signed by any of the known root-CAs. However it needs to fulfil some basic requirements like a matching hostname ;) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org