Mailinglist Archive: opensuse-buildservice (205 mails)

< Previous Next >
Re: [opensuse-buildservice] OBS 1.3 Privately signed certificate and osc
On Wed, Apr 4, 2012 at 16:19, Dominig ar Foll (Intel OTC)
<dominig.arfoll@xxxxxxxxx> wrote:

having just updated to OBS 1.3, my API is now running under https (not a
bad idea).
I have created a PRIVATE certificate following the README.
I see that with osc (version 0.134.1)

if the privately signed certificate is create with a Common Name (CN)
which is not the server name, osc refuses to chat with the API. [...]

That is very strange as it seems that when the certificate with an
official root, the common name is not critical.

Any clue how to overcome that issue ?

I haven't looked into this recently, but I think the problem sits
deeper and has nothing to do with the CN, but with the fact that the
CA of your selfsigned certificate is untrusted.
AFAIK osc uses m2crypto for SSL and in theory m2crypto can be told to
trust your CA (that's what the internet says, at least), but I was
unable to find out (from the m2crypto docs and code and the osc code):
a) what dotfile I have to create for m2crypto;
b) what data and format exactly has to go into there;
c) if osc supports this as-is.

Given the fact that creating a selfsigned certificate is part of
README.SETUP, I strongly agree that this should be documented and/or
AFAICT, the docs as they're now are only useful if you avoid SSL
altogether or have a trusted CA.

Kind regards
    686f6c6d / Christopher 'm4z' Holm
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >