Learn more about these different git repos.
Other Git URLs
After upgrading to koji-builder-1.11.0-1.fc25.noarch, the builder fails to start if serverca is not defined in the kojid.conf file.
Started Koji build server.
Traceback (most recent call last):
File "/usr/sbin/kojid", line 5120, in <module>
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2099, in krb_login
(rep_enc, sinfo_enc, addrinfo) = self.callMethod('krbLogin', req_enc, proxyuser)
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2250, in callMethod
return self._callMethod(name, args, opts)
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2367, in _callMethod
return self._sendCall(handler, headers, request)
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2281, in _sendCall
return self._sendOneCall(handler, headers, request)
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2326, in _sendOneCall
r = self.rsession.post(handler, **callopts)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 518, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 2] No such file or directory
kojid.service: Main process exited, code=exited, status=1/FAILURE
After adding the following (since my hub uses a well-known cert)
; Hopefully temporary
serverca = /etc/pki/tls/cert.pem
it starts properly.
Of note, this was never required in the past. I have been running a Kerberos-enabled Koji instance with the Hub and Web on SSL/TLS for years.
It could be related to transition to python-requests. Anyway, when I don't have serverca line in koji-1.10, I'm getting similar error:
File "/usr/sbin/kojid", line 4600, in <module>
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1742, in ssl_login
ctx = ssl.SSLCommon.CreateSSLContext(certs)
File "/usr/lib/python2.7/site-packages/koji/ssl/SSLCommon.py", line 38, in CreateSSLContext
raise StandardError, "%s does not exist or is not readable" % f
StandardError: /etc/kojid/serverca.crt does not exist or is not readable
Could there be something in your setup which circumvented this error?
I've filed #263 meanwhile.
I think the fact that I've been using a private Koji instance since the beginning (never having the cert files in place) allowed this to popup for me. I'm wondering if others had the certs in place before the switch to python-requests, so might not have seen this issue when testing things out, though I'm not sure of that.
1.11 uses requests and verifies certs by default. You have a few options
This is true for every koji client
@mikem I agree. I continue to use well-known certs for my Koji servers with the CA's avaialbe in the system CA list. I was thinking that python-requests would fall back to the system certs, typically /etc/pki/tls/cert.pem when no serverca is specified, rather that give the traceback above.
It should fall back. The problem may be that the default settings in kojid are preventing that from happening. I fixed this for the cli client, but I guess I missed it for the other clients. See: commit 2ac8d7a
Mike, does it make sense to look into ~/.koji for kojid? If cert will be none, standard PKI ones would be used, not? So only removal of default value could fix this?
Commit 1593e03 fixes this issue
@mikem changed the status to Closed
Metadata Update from @tkopecek:
- Issue set to the milestone: 1.12
to comment on this ticket.