-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 18.04.2012 22:51, schrieb 686f6c6d:
On Wed, Apr 4, 2012 at 16:19, Dominig ar Foll (Intel OTC) <dominig.arfoll@fridu.net> wrote:
Hello,
having just updated to OBS 1.3, my API is now running under https (not a bad idea). I have created a PRIVATE certificate following the README. [...] ---------------------- I see that with osc (version 0.134.1)
if the privately signed certificate is create with a Common Name (CN) which is not the server name, osc refuses to chat with the API. [...]
That is very strange as it seems that when the certificate with an official root, the common name is not critical.
Any clue how to overcome that issue ?
I haven't looked into this recently, but I think the problem sits deeper and has nothing to do with the CN, but with the fact that the CA of your selfsigned certificate is untrusted. AFAIK osc uses m2crypto for SSL and in theory m2crypto can be told to trust your CA (that's what the internet says, at least), but I was unable to find out (from the m2crypto docs and code and the osc code): a) what dotfile I have to create for m2crypto; b) what data and format exactly has to go into there; c) if osc supports this as-is.
Given the fact that creating a selfsigned certificate is part of README.SETUP, I strongly agree that this should be documented and/or fixed. AFAICT, the docs as they're now are only useful if you avoid SSL altogether or have a trusted CA.
I would guess, that m2crypto uses the system's CA storage in /etc/ssl/certs/ so you could do with your private CA the equivalent of zypper install ca-certificates-cacert I agree, this should be part of the documentation Ciao Bernhard M. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+PmcQACgkQSTYLOx37oWTyMQCg5oTHTJ7kB/PAD1KsA1dh/t8K TZIAnRRKhINSgC+26Jc+C2mJW+M6xhYe =fSOk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org