FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 08-22-2008, 03:20 PM
Dennis Gilmore
 
Default Fedora User Certificates

Effective immediately we have replaced the CA that is in use for
cvs.fedoraproject.org and koji.fedoraproject.org This effects uploading to
lookaside cache and building packages.

There are some manual steps that everyone needs to do to be able to use the
systems again.

they are
login to https://admin.fedoraproject.org/accounts/ and click on the "Download
a client-side certificate" link at the bottom of the home page. save the
output to ~/.fedora.cert

rm ~/.fedora-server-ca.cert ~/.fedora-upload-ca.cert
fedora-packager-setup

then open your browser got to Edit -> Preferences -> Advanced -> Encryption ->
View Certificates -> Your Certificates

Select your existing Certificate and remove it
then import the new one from ~/fedora-browser-cert.p12 you will be able to
log in to koji


* Please note that you can only have one client side certificate at a time.
when you download a new one your old one is revoked. Please also only click
on the "Download a client-side certificate" link once as it makes multiple
requests and revokes all the transient certs.

the CRL is at https://admin.fedoraproject.org/ca/crl.pem

Thanks for your understanding and patience.

Dennis
_______________________________________________
Fedora-devel-announce mailing list
Fedora-devel-announce@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-announce--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-22-2008, 06:47 PM
Martin Sourada
 
Default Fedora User Certificates

On Fri, 2008-08-22 at 10:20 -0500, Dennis Gilmore wrote:
> Effective immediately we have replaced the CA that is in use for
> cvs.fedoraproject.org and koji.fedoraproject.org This effects uploading to
> lookaside cache and building packages.
>
> There are some manual steps that everyone needs to do to be able to use the
> systems again.
>
> they are
> login to https://admin.fedoraproject.org/accounts/ and click on the "Download
> a client-side certificate" link at the bottom of the home page. save the
> output to ~/.fedora.cert
>
> rm ~/.fedora-server-ca.cert ~/.fedora-upload-ca.cert
> fedora-packager-setup
>
> then open your browser got to Edit -> Preferences -> Advanced -> Encryption ->
> View Certificates -> Your Certificates
>
> Select your existing Certificate and remove it
> then import the new one from ~/fedora-browser-cert.p12 you will be able to
> log in to koji
>
I did this and I am still not able to log in to koji (trying with epiphany and firefox). This error pops out:

Secure Connection Failed

An error occurred during a connection to koji.fedoraproject.org.

Peer does not recognize and trust the CA that issued your certificate.

(Error code: ssl_error_unknown_ca_alert)

The page you are trying to view can not be shown because the
authenticity of the received data could not be verified.

* Please contact the web site owners to inform them of this problem.

Is it me, or is it koji problem?

Thanks,
Martin
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-22-2008, 07:04 PM
Kai Engert
 
Default Fedora User Certificates

Martin Sourada wrote:

On Fri, 2008-08-22 at 10:20 -0500, Dennis Gilmore wrote:

Effective immediately we have replaced the CA that is in use for
cvs.fedoraproject.org and koji.fedoraproject.org This effects uploading to
lookaside cache and building packages.


There are some manual steps that everyone needs to do to be able to use the
systems again.


they are
login to https://admin.fedoraproject.org/accounts/ and click on the "Download
a client-side certificate" link at the bottom of the home page. save the
output to ~/.fedora.cert


rm ~/.fedora-server-ca.cert ~/.fedora-upload-ca.cert
fedora-packager-setup

then open your browser got to Edit -> Preferences -> Advanced -> Encryption ->
View Certificates -> Your Certificates

Select your existing Certificate and remove it
then import the new one from ~/fedora-browser-cert.p12 you will be able to
log in to koji




I did this and I am still not able to log in to koji (trying with epiphany and firefox). This error pops out:

Secure Connection Failed

An error occurred during a connection to koji.fedoraproject.org.

Peer does not recognize and trust the CA that issued your certificate.

(Error code: ssl_error_unknown_ca_alert)

The page you are trying to view can not be shown because the
authenticity of the received data could not be verified.

* Please contact the web site owners to inform them of this problem.

Is it me, or is it koji problem?

Thanks,
Martin



Parts of the Fedora infrastructure do not use certificates issued by a
CA already trusted by Firefox, but from Fedora's own certificate authority.

If you decide to trust Fedora to issue certificates that can identify
web sites, you could decide to import that CA cert to your set of
trusted roots.

You could go to https://admin.fedoraproject.org/fingerprints and install
the CA certificate available from the bottom of that page.

(Unfortunately the mime type currently is not application/x-x509-ca-cert
so you have to safe that file, and then open it, you might even have to
go to certificate manager and open the authorities tab, then import from
there.)

You can confirm the origin of the certificate by comparing the
fingerprint presented by Firefox with the one listed on the fingerprints
page (at least you'll know that the fingerprints page and the CA are
controlled by the same people).

Hope that helps,
Kai



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-22-2008, 07:09 PM
José Matos
 
Default Fedora User Certificates

On Friday 22 August 2008 16:20:03 Dennis Gilmore wrote:
> Effective immediately we have replaced the CA that is in use for
> cvs.fedoraproject.org and koji.fedoraproject.org This effects uploading to
> lookaside cache and building packages.
>
> rm ~/.fedora-server-ca.cert ~/.fedora-upload-ca.cert
> fedora-packager-setup
>
> then open your browser got to Edit -> Preferences -> Advanced -> Encryption
> -> View Certificates -> Your Certificates
>
> Select your existing Certificate and remove it
> then import the new one from ~/fedora-browser-cert.p12 you will be able to
> log in to koji

I have tried this procedure and it works with firefox, yet when trying to use
konqueror (4.1.0) it fails. I have followed the procedure described by Kevin
last year:

http://www.mailinglistarchive.com/fedora-devel-list@redhat.com/msg26818.html

The error message is (the same happens for https FWIW):

The requested operation could not be completed
Connection to Server Refused
Details of the Request:
URL: http://koji.fedoraproject.org/koji/login
Protocol: http
Date and Time: Friday 22 August 2008 20:08
Additional Information: koji.fedoraproject.org: SSL negotiation failed
Description:
The server koji.fedoraproject.org refused to allow this computer to make a
connection.

--
José Abílio

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-22-2008, 07:33 PM
Martin Sourada
 
Default Fedora User Certificates

On Fri, 2008-08-22 at 21:04 +0200, Kai Engert wrote:
> Parts of the Fedora infrastructure do not use certificates issued by a
> CA already trusted by Firefox, but from Fedora's own certificate authority.
>
> If you decide to trust Fedora to issue certificates that can identify
> web sites, you could decide to import that CA cert to your set of
> trusted roots.
>
> You could go to https://admin.fedoraproject.org/fingerprints and install
> the CA certificate available from the bottom of that page.
>
> (Unfortunately the mime type currently is not application/x-x509-ca-cert
> so you have to safe that file, and then open it, you might even have to
> go to certificate manager and open the authorities tab, then import from
> there.)
>
> You can confirm the origin of the certificate by comparing the
> fingerprint presented by Firefox with the one listed on the fingerprints
> page (at least you'll know that the fingerprints page and the CA are
> controlled by the same people).
>
> Hope that helps,
> Kai
>
I've already added an exception for https://koji.fedoraproject.org/ both
in epiphany and firefox (I trust the fedora issued certificates),
however this pages seems rather like my certificate is not being
recognized by koji as signed by "known CA authority"...

Martin
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-22-2008, 07:49 PM
Dennis Gilmore
 
Default Fedora User Certificates

On Friday 22 August 2008 02:33:38 pm Martin Sourada wrote:
> On Fri, 2008-08-22 at 21:04 +0200, Kai Engert wrote:
> > Parts of the Fedora infrastructure do not use certificates issued by a
> > CA already trusted by Firefox, but from Fedora's own certificate
> > authority.
> >
> > If you decide to trust Fedora to issue certificates that can identify
> > web sites, you could decide to import that CA cert to your set of
> > trusted roots.
> >
> > You could go to https://admin.fedoraproject.org/fingerprints and install
> > the CA certificate available from the bottom of that page.
> >
> > (Unfortunately the mime type currently is not application/x-x509-ca-cert
> > so you have to safe that file, and then open it, you might even have to
> > go to certificate manager and open the authorities tab, then import from
> > there.)
> >
> > You can confirm the origin of the certificate by comparing the
> > fingerprint presented by Firefox with the one listed on the fingerprints
> > page (at least you'll know that the fingerprints page and the CA are
> > controlled by the same people).
> >
> > Hope that helps,
> > Kai
>
> I've already added an exception for https://koji.fedoraproject.org/ both
> in epiphany and firefox (I trust the fedora issued certificates),
> however this pages seems rather like my certificate is not being
> recognized by koji as signed by "known CA authority"...
>
> Martin
Did you remove the old user certificate from your browser?

and make sure you import the new one.
Dennis

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-22-2008, 08:03 PM
Martin Sourada
 
Default Fedora User Certificates

On Fri, 2008-08-22 at 14:49 -0500, Dennis Gilmore wrote:
> Did you remove the old user certificate from your browser?
>
> and make sure you import the new one.
> Dennis
>
Unfortunately epiphany does not allow me to remove the old one [1], I
removed it in firefox, added in both and selected correct certificate
when asked for (in firefox I have obviously only one choice to choose
from, in epiphany strangely enough as well, probably because I already
removed the old one from HDD).

Martin

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=437671

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-23-2008, 09:22 AM
Tim Jackson
 
Default Fedora User Certificates

Dennis Gilmore wrote:

Effective immediately we have replaced the CA that is in use for
cvs.fedoraproject.org and koji.fedoraproject.org This effects uploading to
lookaside cache and building packages.


There are some manual steps that everyone needs to do to be able to use the
systems again.


[snip details of how to change your user cert]

After I did this, plague-client complains when I try to build for EPEL:

Traceback (most recent call last):
File "/usr/bin/plague-client", line 420, in <module>
cli = PlagueClient(os.path.expanduser(cfg_file))
File "/usr/bin/plague-client", line 81, in __init__
self._email = self._get_user_email()
File "/usr/bin/plague-client", line 138, in _get_user_email
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FIL ETYPE_PEM, buf)
OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'bad end line')]
make: *** [plague] Error 1

I'm not really sure what this means (maybe the formatting of one of the
certs is incorrect?) Did I do something wrong?


Thanks

Tim

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-23-2008, 10:23 AM
Michael Schwendt
 
Default Fedora User Certificates

On Sat, 23 Aug 2008 10:22:10 +0100, Tim Jackson wrote:

> Dennis Gilmore wrote:
>
> > Effective immediately we have replaced the CA that is in use for
> > cvs.fedoraproject.org and koji.fedoraproject.org This effects uploading to
> > lookaside cache and building packages.
> >
> > There are some manual steps that everyone needs to do to be able to use the
> > systems again.
>
> [snip details of how to change your user cert]
>
> After I did this, plague-client complains when I try to build for EPEL:
>
> Traceback (most recent call last):
> File "/usr/bin/plague-client", line 420, in <module>
> cli = PlagueClient(os.path.expanduser(cfg_file))
> File "/usr/bin/plague-client", line 81, in __init__
> self._email = self._get_user_email()
> File "/usr/bin/plague-client", line 138, in _get_user_email
> cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FIL ETYPE_PEM, buf)
> OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'bad end line')]
> make: *** [plague] Error 1
>
> I'm not really sure what this means (maybe the formatting of one of the
> certs is incorrect?) Did I do something wrong?

As a work-around, you can delete the plain-text portion from the
.fedora.cert (or move it to the end or shorten it). You can recreate it
later anytime.

--
Perhaps this is specific to pyOpenSSL, parser input buffer too small
or something like that, but that is only speculation.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-23-2008, 10:28 AM
Michael Schwendt
 
Default Fedora User Certificates

On Sat, 23 Aug 2008 10:22:10 +0100, Tim Jackson wrote:

> After I did this, plague-client complains when I try to build for EPEL:
>
> Traceback (most recent call last):
> File "/usr/bin/plague-client", line 420, in <module>
> cli = PlagueClient(os.path.expanduser(cfg_file))
> File "/usr/bin/plague-client", line 81, in __init__
> self._email = self._get_user_email()
> File "/usr/bin/plague-client", line 138, in _get_user_email
> cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FIL ETYPE_PEM, buf)
> OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'bad end line')]
> make: *** [plague] Error 1
>
> I'm not really sure what this means (maybe the formatting of one of the
> certs is incorrect?) Did I do something wrong?

plague-client is broken. My guess in the other reply was good.
Apply this:

--- plague-client~ 2008-01-31 15:08:22.000000000 +0100
+++ plague-client 2008-08-23 12:24:53.000000000 +0200
@@ -133,7 +133,7 @@
print "%s does not exist or is not readable." % certfile
sys.exit(1)
f = open(certfile, "r")
- buf = f.read(8192)
+ buf = f.read()
f.close()
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FIL ETYPE_PEM, buf)
cert_email = cert.get_subject().emailAddress
[

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 04:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org