#1121 ~/.koji/serverca.crt tacitly overrides serverca
Opened 2 years ago by julian8628. Modified 2 years ago

When this certificate exists, it will override serverca if it's not specified in profiles.
It might break things, even when using kerberos auth, and it's hard to debug.


If we don't change this behavior, maybe we could show some/all of options in debug info?

+1 for changing - it doesn't seem like something what would user expect

When this certificate exists, it will override serverca if it's not specified in profiles.

The term override implies that something is being overridden. I don't think that is the case here. This behavior only happens when there is no explicit serverca setting.

I agree something is wrong here, but the description of the problem seems incorrect. Let's clarify it please. Perhaps a specific example?

I believe the example I remember from previous discussion was:

  • profile has no explicit serverca setting
  • server cert is trusted by system config (i.e. no explicit serverca needed)
  • ~/.koji/serverca.crt exists (perhaps needed for another profile) and server cert does not validate against it

In such a case, the default value results in an ssl error.

There is currently no way to explicitly set serverca to None in the configuration file. You can set it to the empty string, and that may solve this issue when it comes up.

There is currently no way to explicitly set serverca to None in the configuration file. You can set it to the empty string, and that may solve this issue when it comes up.

Note that setting serverca to the empty string might not be fully equivalent to setting it to None. In particular, it looks like ssl_login will error on that value.

I think changing the default to None is probably reasonable. I wonder if we also want to do the same for the cert option.

We should figure out of there are many folks relying on this default. Hopefully not.

Regardless of that, we need to provide a way to explicity configure the serverca=None behavior. Even if we change the default, a user may still want to override a global serverca setting in their local config.

I ran into this issue of having to explicitly set serverca today (filed #1193 for that). Here is a patch that is working for me, and it should preserve all the existing behavior so that we don't break clients: https://pagure.io/koji/pull-request/1194

Login to comment on this ticket.

Metadata