another issue to fix with the FAS2 switch: Kojis ssl certificate

Tue Mar 11 21:32:48 UTC 2008

On Tuesday 11 March 2008, Till Maas wrote:
> On Tue March 11 2008, Dennis Gilmore wrote:
> > On Tuesday 11 March 2008, Till Maas wrote:
> > > Hiyas,
> > >
> > > now that everyone needs to change his password, can we now also deploy
> > > the new certifcate for koji? This will make it possible to verify
> > > whether or not one can trust the certificate for koji and the ticket[1]
> > > is now 7 months old, i.e. about a full Fedora release cycle. Therefore
> > > I guess there won't be a better time than now.
> > >
> > > Regards,
> > > Till
> > >
> > > [1] https://fedorahosted.org/fedora-infrastructure/ticket/88
> >
> > No,  Because it will break user certs.  To make it work would require
> > that users all get entirely new server cert files.  We need to redo our
> > entire CA system.  We also need to consider  the ramifications for
> > Secondary arches, deploying a new CA  would require each and every
> > Secondary arch to purchase a cert from the same CA.  or somebody to
> > purchase a cert that covered *.koji.fedoraproject.org from the same CA.
> >
> > we are looking at deploying the hub on a separate box from the frontend
> > which would allow us to do what you are wanting  but would not look after
> > secondary arches.
>
> How about making the hub (I assume this is only used by automated processes
> and not manually) listen on a different port than 443? Then the web
> interface could use the new well know certificate. The automated processes
> the internal ones, where imho using a own ca does not hurt. Also using a
> different port should be only a matter of configuring it once.
> The secondary arch instances could then use a cacert[0] certificate, which
> are free and are trusted by some browsers already for the web interface.

if we use CACert we would have ship it in the browsers we supply.  currently 
no browser shipped with fedora does and if we did such we would use it for 
all services.  and would require changes to all users koji configs.   people 
who are not using fedora would be in the same situation as they are now. 
AFAIK only CentOS ships browsers with CACerts root cert.

> > We currently use 2 different CA's in our setup.  One that is used only
> > for user certs and one that is used  for the builders and frontend.   I
> > would like to move to a new Single CA setup.  In this world  when you
> > import your fedora user cert for browser authentication you would
> > automatically recognise the CA.  though this would only be valid for
> > Fedora contributors.
>
> Is this only about Koji or Fedoraprojet in general? Imho it is better to
> use a well known CA for the frontend (website) and an own one for internal
> stuff instead of using an own one for everything.

the user certs are used to authenticate the user for uploading new tarballs 
and  koji/plague access.  there is work underway to allow them to be used to 
authenticate for other fedora webapps also.  

Dennis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080311/924d20a1/attachment.sig>