FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Build System

 
 
LinkBack Thread Tools
 
Old 07-16-2008, 03:06 AM
Linul
 
Default Koji CLI Auth problem

HI:

I'm using CentOS 5.2 for my Koji Server, but now I have a problem about Koji CLI auth.

According the wiki document in http://fedoraproject.org/wiki/Koji/ServerHowTo , I setup my Koji-hub、Koji-web、postgresql


, and have a koji web interface.

I also setup my CA Center,and configure the kojiweb.conf、kojihub.conf、/etc/koji.conf.

But when i execute the koji command with no username and password, the messages* is:


Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]

why?

thanks.....


/etc/koji.conf:


[koji]

;configuration for koji cli tool

;url of XMLRPC server
;server = http://koji.fedoraproject.org/kojihub
server = http://koji.ossii.com.tw/kojihub


;url of web interface
;weburl = http://koji.fedoraproject.org/koji
weburl = http://koji.ossii.com.tw/koji

;url of package download site

;pkgurl = http://koji.fedoraproject.org/packages
pkgurl = http://koji.ossii.com.tw/packages

;path to the koji top directory

topdir = /mnt/koji

;configuration for SSL athentication

;client certificate
;cert = ~/.fedora.cert
cert = /etc/kojid/kojiadmin.crt

;certificate of the CA that issued the client certificate
;ca = ~/.fedora-upload-ca.cert

ca = /etc/kojid/kojiadmin.key

;certificate of the CA that issued the HTTP server certificate
;serverca = ~/.fedora-server-ca.cert
serverca = /etc/httpd/conf.d/ssl/ossiikojica.crt


kojihub.conf:


<Directory /usr/share/koji-hub>
******* SetHandler mod_python
******* PythonHandler kojixmlrpc
******* PythonOption DBName koji
******* PythonOption DBUser kevin
******* PythonOption DBHost 127.0.0.1

******* PythonOption KojiDir /mnt/koji

******* # Kerberos auth configuration
******* # PythonOption AuthPrincipal kojihub@EXAMPLE.COM
******* # PythonOption AuthKeytab /etc/koji.keytab

******* # PythonOption ProxyPrincipals kojihub@EXAMPLE.COM
******* # format string for host principals (%s = hostname)
******* # PythonOption HostPrincipalFormat compile/%s@EXAMPLE.COM

******* # end Kerberos auth configuration

******* # SSL client certificate auth configuration
******* # the client username is the common name of the subject of their client certificate
******* PythonOption DNUsernameComponent CN

******* # separate multiple DNs with |
******* # PythonOption ProxyDNs "/C=US/ST=Massachusetts/O=Example Org/OU=Example User/CN=example/emailAddress=example@example.com"

******* PythonOption ProxyDNs "/C=TW/ST=Taiwan/O=OSSII/OU=Koji Hub Server/CN=OSSII Koji Server CA/emailAddress=kevin.lin@ossii.com.tw"
******* # end SSL client certificate auth configuration


******* PythonOption LoginCreatesUser On
******* PythonOption KojiWebURL http://koji.ossii.com.tw/koji

******* # The domain name that will be appended to Koji usernames

******* # when creating email notifications
******* PythonOption EmailDomain example.com
******* # PythonOption KojiDebug On
******* # PythonOption KojiTraceback "extended"

******* # sending tracebacks to the client isn't very helpful for debugging xmlrpc
******* PythonDebug Off
******* # autoreload is mostly useless to us (it would only reload kojixmlrpc.py)
******* PythonAutoReload Off

</Directory>

# uncomment this to enable authentication via SSL client certificates
<Location /kojihub>
******* SSLOptions +StdEnvVars
</Location>
# these options must be enabled globally (in ssl.conf)

SSLVerifyClient require
SSLVerifyDepth* 10

kojiweb.conf:

Alias /koji "/usr/share/koji-web/scripts/"

<Directory "/usr/share/koji-web/scripts/">
*** # Config for the publisher handler

*** SetHandler mod_python
*** PythonHandler mod_python.publisher

*** # General settings
*** PythonDebug On
*** PythonOption KojiHubURL http://koji.ossii.com.tw/kojihub

*** PythonOption KojiWebURL http://koji.ossii.com.tw/koji
*** PythonOption KojiPackagesURL http://koji.ossii.com.tw/koji/packages

*** PythonOption WebPrincipal koji/kevin.lin@ossii.com.tw
*** PythonOption WebKeytab /etc/httpd.keytab
*** PythonOption WebCCache /var/tmp/kojiweb.ccache
*** PythonOption WebCert /etc/httpd/conf.d/ssl/kojiweb.crt

*** PythonOption ClientCA /etc/httpd/conf.d/ssl/kojiweb.key
*** PythonOption KojiHubCA /etc/httpd/conf.d/ssl/ossiikojica.crt
*** PythonOption LoginTimeout 72
*** # This must be changed before deployment
*** PythonOption Secret CHANGE_ME

*** PythonPath "sys.path + ['/usr/share/koji-web/lib']"
*** PythonCleanupHandler kojiweb.handlers::cleanup
*** PythonAutoReload Off
</Directory>
<Location /koji/login>
*** SSLOptions +StdEnvVars

</Location>
# these options must be enabled globally (in ssl.conf)
SSLVerifyClient require
SSLVerifyDepth* 10

Alias /koji-static/ "/usr/share/koji-web/static/"

<Directory "/usr/share/koji-web/static/">

*** Options None
*** AllowOverride None
*** Order allow,deny
*** Allow from all
</Directory>

ssl.conf

SSLCertificateFile /etc/httpd/conf.d/ssl/kojihub.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/kojihub.key

SSLCACertificateFile /etc/httpd/conf.d/ssl/ossiikojica.crt
SSLVerifyClient require
SSLVerifyDepth* 10



--
================================================== ===========================

林毓能
Linul
RedHat Certified Engineer

TsLG網路工作室:http://www.tslg.idv.tw
TsLG城市午後:http://blog.tslg.idv.tw
Linul攝影紀實:http://photo.tslg.idv.tw

手機:0939797462
E-mail : kevin.linul@gmail.com; linul@tslg.idv.tw
================================================== ===========================

--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
 
Old 07-16-2008, 01:29 PM
Mike Bonnet
 
Default Koji CLI Auth problem

On Wed, 2008-07-16 at 11:06 +0800, Linul wrote:
> HI:
>
> I'm using CentOS 5.2 for my Koji Server, but now I have a problem
> about Koji CLI auth.
>
> According the wiki document in
> http://fedoraproject.org/wiki/Koji/ServerHowTo , I setup my Koji-hub、
> Koji-web、postgresql
>
> , and have a koji web interface.
>
> I also setup my CA Center,and configure the kojiweb.conf、
> kojihub.conf、/etc/koji.conf.
>
> But when i execute the koji command with no username and password, the
> messages is:
>
> Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL
> routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]

Your client certificate file (indicated by "cert" in the config file)
needs to contain both the certificate and private key. Your private key
is missing.

> why?
>
> thanks.....
>
>
> /etc/koji.conf:
>
> [koji]
>
> ;configuration for koji cli tool
>
> ;url of XMLRPC server
> ;server = http://koji.fedoraproject.org/kojihub
> server = http://koji.ossii.com.tw/kojihub
>
> ;url of web interface
> ;weburl = http://koji.fedoraproject.org/koji
> weburl = http://koji.ossii.com.tw/koji
>
> ;url of package download site
> ;pkgurl = http://koji.fedoraproject.org/packages
> pkgurl = http://koji.ossii.com.tw/packages
>
> ;path to the koji top directory
> topdir = /mnt/koji
>
> ;configuration for SSL athentication
>
> ;client certificate
> ;cert = ~/.fedora.cert
> cert = /etc/kojid/kojiadmin.crt
>
> ;certificate of the CA that issued the client certificate
> ;ca = ~/.fedora-upload-ca.cert
> ca = /etc/kojid/kojiadmin.key
>
> ;certificate of the CA that issued the HTTP server certificate
> ;serverca = ~/.fedora-server-ca.cert
> serverca = /etc/httpd/conf.d/ssl/ossiikojica.crt
>
>
> kojihub.conf:
>
> <Directory /usr/share/koji-hub>
> SetHandler mod_python
> PythonHandler kojixmlrpc
> PythonOption DBName koji
> PythonOption DBUser kevin
> PythonOption DBHost 127.0.0.1
> PythonOption KojiDir /mnt/koji
>
> # Kerberos auth configuration
> # PythonOption AuthPrincipal kojihub@EXAMPLE.COM
> # PythonOption AuthKeytab /etc/koji.keytab
> # PythonOption ProxyPrincipals kojihub@EXAMPLE.COM
> # format string for host principals (%s = hostname)
> # PythonOption HostPrincipalFormat compile/%s@EXAMPLE.COM
> # end Kerberos auth configuration
>
> # SSL client certificate auth configuration
> # the client username is the common name of the subject of
> their client certificate
> PythonOption DNUsernameComponent CN
> # separate multiple DNs with |
> # PythonOption ProxyDNs "/C=US/ST=Massachusetts/O=Example
> Org/OU=Example User/CN=example/emailAddress=example@example.com"
> PythonOption ProxyDNs "/C=TW/ST=Taiwan/O=OSSII/OU=Koji Hub
> Server/CN=OSSII Koji Server CA/emailAddress=kevin.lin@ossii.com.tw"
> # end SSL client certificate auth configuration
>
> PythonOption LoginCreatesUser On
> PythonOption KojiWebURL http://koji.ossii.com.tw/koji
>
> # The domain name that will be appended to Koji usernames
> # when creating email notifications
> PythonOption EmailDomain example.com
> # PythonOption KojiDebug On
> # PythonOption KojiTraceback "extended"
> # sending tracebacks to the client isn't very helpful for
> debugging xmlrpc
> PythonDebug Off
> # autoreload is mostly useless to us (it would only reload
> kojixmlrpc.py)
> PythonAutoReload Off
> </Directory>
>
> # uncomment this to enable authentication via SSL client certificates
> <Location /kojihub>
> SSLOptions +StdEnvVars
> </Location>
> # these options must be enabled globally (in ssl.conf)
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> kojiweb.conf:
>
> Alias /koji "/usr/share/koji-web/scripts/"
>
> <Directory "/usr/share/koji-web/scripts/">
> # Config for the publisher handler
> SetHandler mod_python
> PythonHandler mod_python.publisher
>
> # General settings
> PythonDebug On
> PythonOption KojiHubURL http://koji.ossii.com.tw/kojihub
> PythonOption KojiWebURL http://koji.ossii.com.tw/koji
> PythonOption KojiPackagesURL
> http://koji.ossii.com.tw/koji/packages
> PythonOption WebPrincipal koji/kevin.lin@ossii.com.tw
> PythonOption WebKeytab /etc/httpd.keytab
> PythonOption WebCCache /var/tmp/kojiweb.ccache
> PythonOption WebCert /etc/httpd/conf.d/ssl/kojiweb.crt
> PythonOption ClientCA /etc/httpd/conf.d/ssl/kojiweb.key
> PythonOption KojiHubCA /etc/httpd/conf.d/ssl/ossiikojica.crt
> PythonOption LoginTimeout 72
> # This must be changed before deployment
> PythonOption Secret CHANGE_ME
> PythonPath "sys.path + ['/usr/share/koji-web/lib']"
> PythonCleanupHandler kojiweb.handlers::cleanup
> PythonAutoReload Off
> </Directory>
> <Location /koji/login>
> SSLOptions +StdEnvVars
> </Location>
> # these options must be enabled globally (in ssl.conf)
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> Alias /koji-static/ "/usr/share/koji-web/static/"
>
> <Directory "/usr/share/koji-web/static/">
> Options None
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> ssl.conf
>
> SSLCertificateFile /etc/httpd/conf.d/ssl/kojihub.crt
> SSLCertificateKeyFile /etc/httpd/conf.d/ssl/kojihub.key
> SSLCACertificateFile /etc/httpd/conf.d/ssl/ossiikojica.crt
> SSLVerifyClient require
> SSLVerifyDepth 10
>
>
>
>
> --
> ================================================== ===========================
> 林毓能
> Linul
> RedHat Certified Engineer
>
> TsLG網路工作室:http://www.tslg.idv.tw
> TsLG城市午後:http://blog.tslg.idv.tw
> Linul攝影紀實:http://photo.tslg.idv.tw
> 手機:0939797462
> E-mail : kevin.linul@gmail.com; linul@tslg.idv.tw
> ================================================== ===========================
> --
> Fedora-buildsys-list mailing list
> Fedora-buildsys-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list

--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
 

Thread Tools




All times are GMT. The time now is 11:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org