'kojira won't start ssl cert verify fails'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-buildsys-list
Subject:    kojira won't start ssl cert verify fails
From:       Noah_Rømer <baronmog () gmail ! com>
Date:       2016-06-06 17:59:06
Message-ID: CA+7fRCxWAcM7Nzir6YLPkJ=x4trVsyUxKaC-GpJq8fUYnteOrg () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Trying to get kojira to start up, with a new cert (using the instructions
for a self hosted CA on the koji server). Koji version 1.9.0-5 on a Centos
6.6 box. I get the following error:

Traceback (most recent call last):
  File "/usr/sbin/kojira", line 743, in <module>
    session.ssl_login(options.cert, options.ca, options.serverca)
  File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1729, in
ssl_login
    sinfo = self.callMethod('sslLogin', proxyuser)
  File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1778, in
callMethod
    return self._callMethod(name, args, opts)
  File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1898, in
_callMethod
    return self._sendCall(handler, headers, request)
  File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1809, in
_sendCall
    return self._sendOneCall(handler, headers, request)
  File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1827, in
_sendOneCall
    cnx.endheaders()
  File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders
    self._send_output()
  File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.6/httplib.py", line 759, in send
    self.sock.sendall(str)
  File "/usr/lib/python2.6/site-packages/koji/ssl/SSLConnection.py", line
108, in sendall
    sent = con.send(data, flags)
OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',
'certificate verify failed')]

If I run openssl from the command line, to verify the cert, it succeeds:

# openssl verify -CAfile /etc/pki/koji/koji_ca_cert.crt
/etc/pki/koji/certs/kojira.cer

/etc/pki/koji/certs/kojira.cer: OK

The cert in question is SHA256/RSA4096 (matching the params of the certs
we've previously used).

-- 
Squirrels are the lunatic teenagers of the animal kingdom.

[Attachment #5 (text/html)]

<div dir="ltr"><div><div>Trying to get kojira to start up, with a new cert (using the \
instructions for a self hosted CA on the koji server). Koji version 1.9.0-5 on a \
Centos 6.6 box. I get the following error:<br><br>Traceback (most recent call \
last):<br>   File &quot;/usr/sbin/kojira&quot;, line 743, in &lt;module&gt;<br>       \
session.ssl_login(options.cert, <a href="http://options.ca">options.ca</a>, \
options.serverca)<br>   File \
&quot;/usr/lib/python2.6/site-packages/koji/__init__.py&quot;, line 1729, in \
ssl_login<br>       sinfo = self.callMethod(&#39;sslLogin&#39;, proxyuser)<br>   File \
&quot;/usr/lib/python2.6/site-packages/koji/__init__.py&quot;, line 1778, in \
callMethod<br>       return self._callMethod(name, args, opts)<br>   File \
&quot;/usr/lib/python2.6/site-packages/koji/__init__.py&quot;, line 1898, in \
_callMethod<br>       return self._sendCall(handler, headers, request)<br>   File \
&quot;/usr/lib/python2.6/site-packages/koji/__init__.py&quot;, line 1809, in \
_sendCall<br>       return self._sendOneCall(handler, headers, request)<br>   File \
&quot;/usr/lib/python2.6/site-packages/koji/__init__.py&quot;, line 1827, in \
_sendOneCall<br>       cnx.endheaders()<br>   File \
&quot;/usr/lib64/python2.6/httplib.py&quot;, line 908, in endheaders<br>       \
self._send_output()<br>   File &quot;/usr/lib64/python2.6/httplib.py&quot;, line 780, \
in _send_output<br>       self.send(msg)<br>   File \
&quot;/usr/lib64/python2.6/httplib.py&quot;, line 759, in send<br>       \
self.sock.sendall(str)<br>   File \
&quot;/usr/lib/python2.6/site-packages/koji/ssl/SSLConnection.py&quot;, line 108, in \
sendall<br>       sent = con.send(data, flags)<br>OpenSSL.SSL.Error: [(&#39;SSL \
routines&#39;, &#39;SSL3_GET_SERVER_CERTIFICATE&#39;, &#39;certificate verify \
failed&#39;)]<br><br></div>If I run openssl from the command line, to verify the \
cert, it succeeds:<br><br># openssl verify -CAfile /etc/pki/koji/koji_ca_cert.crt \
/etc/pki/koji/certs/kojira.cer<br><br>/etc/pki/koji/certs/kojira.cer: \
OK<br><br></div>The cert in question is SHA256/RSA4096 (matching the params of the \
certs we&#39;ve previously used).<br clear="all"><div><div><div><br>-- <br><div \
class="gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div>Squirrels are the lunatic teenagers of the animal \
kingdom.<br></div></div></div> </div></div></div></div>


[Attachment #6 (text/plain)]

--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/buildsys@lists.fedoraproject.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic