Koji CLI Auth problem
Mike Bonnet
mikeb at redhat.com
Wed Jul 16 13:29:10 UTC 2008
On Wed, 2008-07-16 at 11:06 +0800, Linul wrote:
> HI:
>
> I'm using CentOS 5.2 for my Koji Server, but now I have a problem
> about Koji CLI auth.
>
> According the wiki document in
> http://fedoraproject.org/wiki/Koji/ServerHowTo , I setup my Koji-hub、
> Koji-web、postgresql
>
> , and have a koji web interface.
>
> I also setup my CA Center,and configure the kojiweb.conf、
> kojihub.conf、/etc/koji.conf.
>
> But when i execute the koji command with no username and password, the
> messages is:
>
> Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL
> routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]
Your client certificate file (indicated by "cert" in the config file)
needs to contain both the certificate and private key. Your private key
is missing.
> why?
>
> thanks.....
>
>
> /etc/koji.conf:
>
> [koji]
>
> ;configuration for koji cli tool
>
> ;url of XMLRPC server
> ;server = http://koji.fedoraproject.org/kojihub
> server = http://koji.ossii.com.tw/kojihub
>
> ;url of web interface
> ;weburl = http://koji.fedoraproject.org/koji
> weburl = http://koji.ossii.com.tw/koji
>
> ;url of package download site
> ;pkgurl = http://koji.fedoraproject.org/packages
> pkgurl = http://koji.ossii.com.tw/packages
>
> ;path to the koji top directory
> topdir = /mnt/koji
>
> ;configuration for SSL athentication
>
> ;client certificate
> ;cert = ~/.fedora.cert
> cert = /etc/kojid/kojiadmin.crt
>
> ;certificate of the CA that issued the client certificate
> ;ca = ~/.fedora-upload-ca.cert
> ca = /etc/kojid/kojiadmin.key
>
> ;certificate of the CA that issued the HTTP server certificate
> ;serverca = ~/.fedora-server-ca.cert
> serverca = /etc/httpd/conf.d/ssl/ossiikojica.crt
>
>
> kojihub.conf:
>
> <Directory /usr/share/koji-hub>
> SetHandler mod_python
> PythonHandler kojixmlrpc
> PythonOption DBName koji
> PythonOption DBUser kevin
> PythonOption DBHost 127.0.0.1
> PythonOption KojiDir /mnt/koji
>
> # Kerberos auth configuration
> # PythonOption AuthPrincipal kojihub at EXAMPLE.COM
> # PythonOption AuthKeytab /etc/koji.keytab
> # PythonOption ProxyPrincipals kojihub at EXAMPLE.COM
> # format string for host principals (%s = hostname)
> # PythonOption HostPrincipalFormat compile/%s at EXAMPLE.COM
> # end Kerberos auth configuration
>
> # SSL client certificate auth configuration
> # the client username is the common name of the subject of
> their client certificate
> PythonOption DNUsernameComponent CN
> # separate multiple DNs with |
> # PythonOption ProxyDNs "/C=US/ST=Massachusetts/O=Example
> Org/OU=Example User/CN=example/emailAddress=example at example.com"
> PythonOption ProxyDNs "/C=TW/ST=Taiwan/O=OSSII/OU=Koji Hub
> Server/CN=OSSII Koji Server CA/emailAddress=kevin.lin at ossii.com.tw"
> # end SSL client certificate auth configuration
>
> PythonOption LoginCreatesUser On
> PythonOption KojiWebURL http://koji.ossii.com.tw/koji
>
> # The domain name that will be appended to Koji usernames
> # when creating email notifications
> PythonOption EmailDomain example.com
> # PythonOption KojiDebug On
> # PythonOption KojiTraceback "extended"
> # sending tracebacks to the client isn't very helpful for
> debugging xmlrpc
> PythonDebug Off
> # autoreload is mostly useless to us (it would only reload
> kojixmlrpc.py)
> PythonAutoReload Off
> </Directory>
>
> # uncomment this to enable authentication via SSL client certificates
> <Location /kojihub>
> SSLOptions +StdEnvVars
> </Location>
> # these options must be enabled globally (in ssl.conf)
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> kojiweb.conf:
>
> Alias /koji "/usr/share/koji-web/scripts/"
>
> <Directory "/usr/share/koji-web/scripts/">
> # Config for the publisher handler
> SetHandler mod_python
> PythonHandler mod_python.publisher
>
> # General settings
> PythonDebug On
> PythonOption KojiHubURL http://koji.ossii.com.tw/kojihub
> PythonOption KojiWebURL http://koji.ossii.com.tw/koji
> PythonOption KojiPackagesURL
> http://koji.ossii.com.tw/koji/packages
> PythonOption WebPrincipal koji/kevin.lin at ossii.com.tw
> PythonOption WebKeytab /etc/httpd.keytab
> PythonOption WebCCache /var/tmp/kojiweb.ccache
> PythonOption WebCert /etc/httpd/conf.d/ssl/kojiweb.crt
> PythonOption ClientCA /etc/httpd/conf.d/ssl/kojiweb.key
> PythonOption KojiHubCA /etc/httpd/conf.d/ssl/ossiikojica.crt
> PythonOption LoginTimeout 72
> # This must be changed before deployment
> PythonOption Secret CHANGE_ME
> PythonPath "sys.path + ['/usr/share/koji-web/lib']"
> PythonCleanupHandler kojiweb.handlers::cleanup
> PythonAutoReload Off
> </Directory>
> <Location /koji/login>
> SSLOptions +StdEnvVars
> </Location>
> # these options must be enabled globally (in ssl.conf)
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> Alias /koji-static/ "/usr/share/koji-web/static/"
>
> <Directory "/usr/share/koji-web/static/">
> Options None
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> ssl.conf
>
> SSLCertificateFile /etc/httpd/conf.d/ssl/kojihub.crt
> SSLCertificateKeyFile /etc/httpd/conf.d/ssl/kojihub.key
> SSLCACertificateFile /etc/httpd/conf.d/ssl/ossiikojica.crt
> SSLVerifyClient require
> SSLVerifyDepth 10
>
>
>
>
> --
> =============================================================================
> 林毓能
> Linul
> RedHat Certified Engineer
>
> TsLG網路工作室:http://www.tslg.idv.tw
> TsLG城市午後:http://blog.tslg.idv.tw
> Linul攝影紀實:http://photo.tslg.idv.tw
> 手機:0939797462
> E-mail : kevin.linul at gmail.com; linul at tslg.idv.tw
> =============================================================================
> --
> Fedora-buildsys-list mailing list
> Fedora-buildsys-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
More information about the Fedora-buildsys-list
mailing list