#88 https://koji.fedoraproject.org is signed with an unknown certificate (extras64.linux.duke.edu)

Created 9 years ago by till

When I connect to https://koji.fedoraproject.org firefox warns me about an untrusted certificate. The certificate is signed by extras64.linux.duke.edu as far as I understand. Please use a certificate that I can verify, i.e. that firefox knows, instead.

ping? Can you please fix this? This is not only a security issue, but also embarrassing for the Fedora Project itself, imho.

mbonnet: Could we put behind https://admin.fp.o like bodhi, mirrormanager, and the other applications or will that interfere with koji's certificate authentication?

Nothing is ever as easy as it seems. We now have a cert, but it will require changes to everyone's client (~/.fedora-server-ca.cert) dgilmore is point man on this. We'll have to announce and come up with a plan.

Will this be fixed now with the switch to the new FAS? Everyone has to change the password, so changing the certificate now would be no big deal, too.

There is currently, according to [https://www.redhat.com/archives/fedora-infrastructure-list/2008-August/msg00073.html this post] on fedora-infrastructure-list, a wildcard certificate for *.fp.o. Is it possible to use that certificate to resolve this issue?

that does not resolve the issue for secondary arches or user certificates.

I'm going to close this as wontfix

Replying to [comment:8 ausil]:

that does not resolve the issue for secondary arches or user certificates.

Just in case someone else wants to fix this in the future, this is what can be done:

Alternative 1) Run koji-hub and the web frontend on different ip addresses
Alternative 2) Use different CAs to verify the secondary archs and the main koji instance, which is probably possible, because nobody objected here:

As far as I can see, there is no issue regarding the user certificates, because they do not need to be signed by the same CA as the koji web interface certificate is.

Login to comment on this ticket.