#280 kerberos auth does not use serverca
Closed: Insufficient data 6 years ago Opened 7 years ago by teuf.

I've been trying to connect to a koji host using a certificate using a CA which is not in my system-wide trust store. I'm using kerberos to connect to this host, and the configuration is setup to use https:// for server=. I've added the appropriate serverca= directive to the conf file as well.

This causes login ('hello' command) attempts to fail with
SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

I forced use of serverca in the kerberos case with

diff --git a/cli/koji b/cli/koji
index d1d70c5..8bc0b83 100755
--- a/cli/koji
+++ b/cli/koji
@@ -7214,6 +7214,7 @@ def activate_session(session):
# authenticate using user/password
session.login()
elif options.authtype == "kerberos" or has_krb_creds() and options.authtype is None:
+ session.opts["serverca"] = options.serverca
try:
if options.keytab and options.principal:
session.krb_login(principal=options.principal, keytab=options.keytab, proxyuser=options.runas)

and my "hello" attempt succeeds.


Actually, I also need this hack in the "noauth" case.

Is it happening also with current master? (It works for me, so investigating where is the difference.)

current master seems to work fine (with PYTHON_PATH=./koji ./cli/koji -p foo wait-repo bar) , I should have tested this first ;)

with PYTHON_PATH=./koji ./cli/koji ...

Did you mean PYTHONPATH=.? Are we talking about krbV or requests-kerberos? I'm asking because of #288.

One of my test systems is set up like this (krb auth, ca not trusted system wide). I'm curious exactly which version of koji this was and what the other config opts are.

NEEDINFO: see last comment

@mikem I always use a relatively recent koji from git. Ah, that's not one of my bug reports, sorry.

Closing this. @teuf, if this is still happening we'll need the details requested above in order to help.

Metadata Update from @mikem:
- Issue close_status updated to: Insufficient data
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata