#250 kojid, kojira, koji-gc seem to require serverca to be defined/present in their configuration files
Closed: Fixed 5 years ago Opened 5 years ago by amessina.

After upgrading to koji-builder-1.11.0-1.fc25.noarch, the builder fails to start if serverca is not defined in the kojid.conf file.

Started Koji build server.
Traceback (most recent call last):
File "/usr/sbin/kojid", line 5120, in <module>
    ccache=options.ccache)
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2099, in krb_login
    (rep_enc, sinfo_enc, addrinfo) = self.callMethod('krbLogin', req_enc, proxyuser)
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2250, in callMethod
    return self._callMethod(name, args, opts)
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2367, in _callMethod
    return self._sendCall(handler, headers, request)
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2281, in _sendCall
    return self._sendOneCall(handler, headers, request)
File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2326, in _sendOneCall
    r = self.rsession.post(handler, **callopts)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 518, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 475, in request
    resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send
    r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 2] No such file or directory
kojid.service: Main process exited, code=exited, status=1/FAILURE

After adding the following (since my hub uses a well-known cert)

; Hopefully temporary
serverca = /etc/pki/tls/cert.pem

it starts properly.

Of note, this was never required in the past. I have been running a Kerberos-enabled Koji instance with the Hub and Web on SSL/TLS for years.


It could be related to transition to python-requests. Anyway, when I don't have serverca line in koji-1.10, I'm getting similar error:

  File "/usr/sbin/kojid", line 4600, in <module>
    options.serverca)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1742, in ssl_login
    ctx = ssl.SSLCommon.CreateSSLContext(certs)
  File "/usr/lib/python2.7/site-packages/koji/ssl/SSLCommon.py", line 38, in CreateSSLContext
    raise StandardError, "%s does not exist or is not readable" % f
StandardError: /etc/kojid/serverca.crt does not exist or is not readable

Could there be something in your setup which circumvented this error?

I've filed #263 meanwhile.

I think the fact that I've been using a private Koji instance since the beginning (never having the cert files in place) allowed this to popup for me. I'm wondering if others had the certs in place before the switch to python-requests, so might not have seen this issue when testing things out, though I'm not sure of that.

1.11 uses requests and verifies certs by default. You have a few options

  1. configure serverca, as you have discovered
  2. ensure that the ca for your server is trusted by the client system
  3. set no_ssl_verify to True (least preferable option, but it's there)

This is true for every koji client

@mikem I agree. I continue to use well-known certs for my Koji servers with the CA's avaialbe in the system CA list. I was thinking that python-requests would fall back to the system certs, typically /etc/pki/tls/cert.pem when no serverca is specified, rather that give the traceback above.

It should fall back. The problem may be that the default settings in kojid are preventing that from happening. I fixed this for the cli client, but I guess I missed it for the other clients. See: commit 2ac8d7a

Mike, does it make sense to look into ~/.koji for kojid? If cert will be none, standard PKI ones would be used, not? So only removal of default value could fix this?

@mikem changed the status to Closed

5 years ago

Metadata Update from @tkopecek:
- Issue set to the milestone: 1.12

5 years ago

Login to comment on this ticket.

Metadata