centos-infra

Clone
Source Code
GIT

#575 CI (OpenShift) self-signed certificate in certificate chain (koji.mbox.centos.org)
Closed: Fixed with Explanation 2 years ago by arrfab. Opened 2 years ago by pjgeorg.

Closed: Fixed with Explanation
Reopen Issue

In one of the automation tasks running for the Kmods SIG we need to download files from koji.mbox.centos.org. Doing that I run into the following issue:

curl -f -I -o /dev/null https://koji.mbox.centos.org/pkgs/packages/kernel/4.18.0/348.7.1.el8_5/aarch64/kernel-devel-4.18.0-348.7.1.el8_5.aarch64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

I can work around that issue on my side, but I assume this should be fixed in general.

Note: kojihub.stream.centos.org is not affected.

Yes, that's because you're reaching it "internally" and not through haproxy that has the proper TLS cert.
The koji.mbox setup is (actually but should move soon) itself an openshift 3 setup with self-signed certs.

That's the reason why cbs itself is pointing to different VM that doesn't suffer from this (so not accessing kojihub/koji.mbox direclty) : 

cbs list-external-repos|grep centos8s-buildroot
centos8s-buildroot        http://kojifiles.rdu2.centos.org/kojifiles/repos/dist-c8-stream-build/latest/$arch/

So just replace your job to download from kojifiles.rdu2.centos.org and it will work (internally from CI) : 

 curl -O http://kojifiles.rdu2.centos.org/pkgs/packages/kernel/4.18.0/348.7.1.el8_5/aarch64/kernel-devel-4.18.0-348.7.1.el8_5.aarch64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 18.9M  100 18.9M    0     0   309M      0 --:--:-- --:--:-- --:--:--  315M

Metadata Update from @arrfab:
- Issue assigned to arrfab
2 years ago

Metadata Update from @arrfab:
- Issue tagged with: centos-ci-infra, low-gain, low-trouble
2 years ago

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)
2 years ago

Changing the download URL to point to kojifiles.rdu2.c.o works as expected.
Thanks for the explanation about the internal network. Actually made me realize that there is an obvious solution how to handle this case once CentOS Linux 8 is EOL and no new builds will be available for it on koji.mbox.c.o by changing the url to http://mirror1.rdu2.centos.org/RHEL/8/... which is only accessible internally.

Once again thanks for your quick and excellent support!

Login to comment on this ticket.

Metadata

low-gain centos-ci-infra low-trouble

None
None
Needs Review
Boards 1
CentOS CI Infra Status: Backlog
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.