Problem was caused by Apache config: "SSLVerifyClient require" was set on global server scope.

Unfortunately, this is what documentation suggests :/

Let's fix docs :-)

Hmm, it looks, that docs are correct about this. I've tried it again, and it works for me. Wasn't there also enabled that krb section?

@tkopecek: no, I didn't enable kerberos. My symptoms in koji was: koji moshimoshi worked, koji list-tags didn't. Only after I used koji --force-auth list-tags it worked with no problem.

In kojiweb: I've been getting SSL erros on index page, even before I could try to login. I figured out that kojiweb, like koji command expects, only /kojihub/ssllogin to require SSL certificates, while other services (like tag listing) should be accessible without SSL authentication. When I looked into kojiweb code it looked like it doesn't even bother to pass SSL certificate at this moment, and sets only "dummy" krb opts for koji.ClientSession in _getServer().

The docs on the other hand suggest that SSLVerifyClient require should be set at global space. After I changed that to "optional", both koji command and kojiweb worked without problems.

So no, kojiweb doesn't require kerberos (I shoul've changed the issue title), but doesn't work with "SSLVerifyClient require" set in ssl.conf

My current setting of SSLVerifyClient is optional for / and "require" only for /kojihub/ssllogin. I suppose /kojihub direcotry should have at most "optional", but this isn't explained well in documentation.

Ah, understood. We've working example configs, but old info in docs. I've filed #2057

Thanks very much for filing this ticket @enteropia . It helps us improve the install experience for other people.

Commit 1a9129c fixes this issue

Commit 672e367 fixes this issue