Learn more about these different git repos.
Other Git URLs
When using SSL client authentication, if the user does not have a ~/.koji/serverca.crt file, the Koji client does not use the system-wide certificate store to verify the hub's HTTPS cert. The user must always explicitly configure a serverca setting.
~/.koji/serverca.crt
serverca
In cli/koji_cli/lib.py's read_defaults() method, there is this section where we configure a default serverca:
cli/koji_cli/lib.py
read_defaults()
# special handling for cert defaults cert_defaults = { 'cert': '~/.koji/client.crt', 'serverca': '~/.koji/serverca.crt', } ...
We loop over that dict, and if those paths do not exist, then we set result[name] = ''
result[name] = ''
This empty string ends up going into ssl_login() here as options.serverca:
ssl_login()
options.serverca
session.ssl_login(options.cert, None, options.serverca, proxyuser=runas)
And we raise with a confusing message about this empty string:
raise AuthError("Server CA %s doesn't exist or is not accessible" % serverca)
It would be great to make Koji always default to using the system-wide CA store instead of defaulting to ~/.koji/serverca.crt. This would match the way Koji behaves for GSSAPI authentication.
this issue might be a duplicate of #1121
Here's the smallest change I could make that is still backwards-compatible with the present features: https://pagure.io/koji/pull-request/1194
Login to comment on this ticket.