Mailinglist Archive: opensuse-buildservice (244 mails)

< Previous Next >
Re: [opensuse-buildservice] OBS 1.3 Privately signed certificate and osc
On Sun, Apr 22, 2012 at 2:42 AM, 686f6c6d <686f6c6d@xxxxxxxxxxxxxx> wrote:
On Thu, Apr 19, 2012 at 08:23, Marcus Meissner <meissner@xxxxxxx> wrote:

osc asks to store such a certificate in its local cert store when
it is not signed by any of the known root-CAs.

Ah, thank you very much!
With a reasonably current version of osc (verified with 0.132.5 and
0.134.1) this works indeed (the certificate will be stored in
When I last tested this back around December, osc just tracebacked on
me and I had to look into the m2crypto error message to find out that
the communication failed because the certificate was untrusted
(although I'm unsure what the precise SSL error was).

However it needs to fulfil some basic requirements like a matching
hostname ;)

Yes that's true, my point was it failed *before* the hostname check
for me, and I assumed it was still unfixed. Should have checked first,
but I don't set up new OBSs that often. (;

On Thu, Apr 19, 2012 at 10:08, Adrian Schröter <adrian@xxxxxxx> wrote:
Am Mittwoch, 18. April 2012, 22:51:47 schrieb 686f6c6d:
Given the fact that creating a selfsigned certificate is part of
README.SETUP, I strongly agree that this should be documented and/or
AFAICT, the docs as they're now are only useful if you avoid SSL
altogether or have a trusted CA.

since osc and web browsers usually do store the initial CA it is still
usefull to detect attacks later.

I think an explenation how to create official CA's is too much for our
doku, but we could add a link how to proceed on that.

Sorry, I didn't make myself clear. What I meant was that it should be
possible to use osc with a selfsigned certificate, which obviously
works now. (A documentation pointer on how to get m2crypto or the
whole oS to trust the certificate would be nice, but isn't what I
meant. I just wanted osc to work for the newbie -- me -- that installs
from the official docs.)

To follow up on this: We just had a problem where the DNS name
temporarily did *not* match the reverse lookup and we were unable to
change it (being pressed for time as usual) because changing the
certificates of the whole shebang would have taken too long, so we
decided to whip out the torture devices to make m2crypto/osc do as we
please. My colleague who did the digging found the already existing,
undocumented option "sslcertck" in
/usr/lib/python2.7/site-packages/osc/ (that file is worth a

So, to disable m2crypto SSL verification in osc -- if you know what
you are doing --, set "sslcertck = 0" in your .oscrc config file.

Kind regards
    686f6c6d / Christopher 'm4z' Holm
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages