koji

Clone

#3048 Kerberos authentication needs SSL auth?
Closed: Fixed 2 years ago by tkopecek. Opened 2 years ago by lerodrig.

Closed: Fixed
Reopen Issue

Hello everyone,

I am trying to set up a custom server in my VM with Fedora WS 34, at this moment I am trying the Kerberos Authentication but I am getting issues with the SSL Login, is there any SSL config needed? I am following this guide https://docs.pagure.org/koji/server_howto/

When I try to do koji moshimoshi, I am getting the following error:

[root@koji lerodrig]# KRB5_TRACE=/dev/stdout koji -d hello
2021-09-24 15:27:13,591 [DEBUG] koji: Opening new requests session
2021-09-24 15:27:13,591 [DEBUG] koji: Opening new requests session
2021-09-24 15:27:13,640 [DEBUG] koji: Opening new requests session
2021-09-24 15:27:13,641 [ERROR] koji: (gssapi auth failed: requests.exceptions.SSLError: HTTPSConnectionPool(host='koji.ksi.com', port=443): Max retries exceeded with url: /kojihub/ssllogin (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)'))))
Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/
Traceback (most recent call last):
  File "/usr/bin/koji", line 335, in <module>
    rv = locals()[command].__call__(options, session, args)
  File "/usr/lib/python3.9/site-packages/koji_cli/commands.py", line 7680, in handle_moshimoshi
    activate_session(session, options)
  File "/usr/lib/python3.9/site-packages/koji_cli/lib.py", line 749, in activate_session
    session.gssapi_login(proxyuser=runas)
  File "/usr/lib/python3.9/site-packages/koji/__init__.py", line 2531, in gssapi_login
    raise GSSAPIAuthError(err)
koji.GSSAPIAuthError: unable to obtain a session (gssapi auth failed: requests.exceptions.SSLError: HTTPSConnectionPool(host='koji.ksi.com', port=443): Max retries exceeded with url: /kojihub/ssllogin (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)'))))
Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/
[root@koji lerodrig]#

Koji supports two forms of authentication:

  1. Kerberos (GSSAPI) authentication
  2. TLS client authentication (sometimes called "mTLS" today)

Both of these require your hub web server (Apache) to use HTTPS to protect the connection.

Specifically, if you don't use HTTPS to protect the hub, a passive adversary could listen to the plaintext HTTP connection to observe any private information in the client's request or server's response. In Koji's case, observers could snoop the initial GSSAPI login to /kojihub/ssllogin, or snoop the client's session-id and private session-key that the client sends in every subsequent authenticated XML-RPC HTTP request. So you're right to use HTTPS on the hub.

That particular CERTIFICATE_VERIFY_FAILED error means that your Koji client is unable to verify the HTTPS server certificate that the hub presents to clients.

The easiest way to get rid of this error is to trust the CA system-wide on your client. Assuming you generated a CA on your Koji hub box, securely copy it to each client, and place the CA file into /etc/pki/ca-trust/source/anchors on each client, like so:

sudo cp /tmp/koji-ca.crt -o /etc/pki/ca-trust/source/anchors/koji-ca.crt
sudo update-ca-trust extract

Then you should be able to make curl requests of your hub.

The Server HowTo instructions for openssl are complicated. I wrote https://pagure.io/koji-tools/blob/master/f/src/bin/koji-ssl-admin to simplify the steps.

To generate a CA keypair:

./src/bin/koji-ssl-admin new-ca --common-name "lerodrig koji ca"

To generate the keypair for HTTPS service (for kojihub + kojiweb):

./src/bin/koji-ssl-admin server-csr koji.ksi.com
./src/bin/koji-ssl-admin sign koji.ksi.com.csr

Then copy those files to your hub's /etc/pki/koji directory:

sudo cp koji.ksi.com.chain.crt /etc/pki/koji/
sudo cp koji.ksi.com.key /etc/pki/koji/

Your Apache configuration should point at those files:

SSLCertificateKeyFile /etc/pki/koji/koji.ksi.com.key
SSLCertificateFile /etc/pki/koji/koji.ksi.com.chain.crt

(Omit SSLCertificateChainFile because SSLCertificateFile does the same thing in Apache 2.4.8+. Omit SSLCACertificateFile, since you're doing Kerberos auth, not SSL client auth.)

Finally, reload Apache:

sudo systemctl reload httpd
Edited 2 years ago by ktdreyer

Does it address your issue?

Metadata Update from @tkopecek:
- Custom field Size adjusted to None
2 years ago

Yes, thank you so much. Now I can authenticate and use koji, but I am having issues building any RPM.

[root@koji tmp]# koji build --scratch dist-coreos koji-1.25.0-2.fc34.src.rpm 
Uploading srpm: koji-1.25.0-2.fc34.src.rpm
[====================================] 100% 00:00:00   1.15 MiB  19.78 MiB/sec
Created task: 3
Task info: https://koji.ksi.com/koji/taskinfo?taskID=3
Watching tasks (this may be safely interrupted)...
3 build (dist-coreos, koji-1.25.0-2.fc34.src.rpm): free
3 build (dist-coreos, koji-1.25.0-2.fc34.src.rpm): free -> open (builder1.koji.ksi.com)
  4 rebuildSRPM (noarch): free
  4 rebuildSRPM (noarch): free -> open (builder1.koji.ksi.com)
  4 rebuildSRPM (noarch): open (builder1.koji.ksi.com) -> FAILED: BuildError: error building srpm, mock exited with status 1; see build.log or root.log for more information
  Relevant logs:
  https://koji.ksi.com//work/tasks/4/4/mock_output.log
  https://koji.ksi.com//work/tasks/4/4/hw_info.log
  https://koji.ksi.com//work/tasks/4/4/state.log
  https://koji.ksi.com//work/tasks/4/4/build.log
  https://koji.ksi.com//work/tasks/4/4/root.log
  0 free  1 open  0 done  1 failed
3 build (dist-coreos, koji-1.25.0-2.fc34.src.rpm): open (builder1.koji.ksi.com) -> FAILED: BuildError: error building srpm, mock exited with status 1; see build.log or root.log for more information
  0 free  0 open  0 done  2 failed

3 build (dist-coreos, koji-1.25.0-2.fc34.src.rpm) failed

This is the mock.log

INFO: Running in chroot: ['rpmbuild', '--define', '_topdir /chroot_tmpdir/srpm_unpacked', '-bs', '--nodeps', '/chroot_tmpdir/srpm_unpacked/SPECS/koji.spec']
Start: chroot ['rpmbuild', '--define', '_topdir /chroot_tmpdir/srpm_unpacked', '-bs', '--nodeps', '/chroot_tmpdir/srpm_unpacked/SPECS/koji.spec']
execv(rpmbuild) failed: No such file or directory
Finish: chroot ['rpmbuild', '--define', '_topdir /chroot_tmpdir/srpm_unpacked', '-bs', '--nodeps', '/chroot_tmpdir/srpm_unpacked/SPECS/koji.spec']

And the root.log

DEBUG file_util.py:30:  touching file: /var/lib/mock/dist-coreos-build-1-1/root/.initialized
INFO backend.py:391:  Running in chroot: ['rpmbuild', '--define', '_topdir /chroot_tmpdir/srpm_unpacked', '-bs', '--nodeps', '/chroot_tmpdir/srpm_unpacked/SPECS/koji.spec']
DEBUG util.py:624:  child environment: None
DEBUG util.py:536:  Using nspawn with args ['--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.508dm313:/etc/resolv.conf', '--bind=/dev/btrfs-control', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11']
DEBUG util.py:542:  Executing command: ['/usr/bin/systemd-nspawn', '-q', '-M', 'c41e2fd7a1a74255a9ef4b43b8e60d38', '-D', '/var/lib/mock/dist-coreos-build-1-1/root', '-a', '--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.508dm313:/etc/resolv.conf', '--bind=/dev/btrfs-control', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11', '--console=pipe', '--setenv=TERM=vt100', '--setenv=SHELL=/bin/bash', '--setenv=HOME=/builddir', '--setenv=HOSTNAME=mock', '--setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin', '--setenv=PROMPT_COMMAND=printf "\\033]0;<mock-chroot>\\007"', '--setenv=PS1=<mock-chroot> \\s-\\v\\$ ', '--setenv=LANG=C.UTF-8', '--resolv-conf=off', 'rpmbuild', '--define', '_topdir /chroot_tmpdir/srpm_unpacked', '-bs', '--nodeps', '/chroot_tmpdir/srpm_unpacked/SPECS/koji.spec'] with env {'TERM': 'vt100', 'SHELL': '/bin/bash', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'PROMPT_COMMAND': 'printf "\\033]0;<mock-chroot>\\007"', 'PS1': '<mock-chroot> \\s-\\v\\$ ', 'LANG': 'C.UTF-8', 'SYSTEMD_NSPAWN_TMPFS_TMP': '0'} and shell False
DEBUG util.py:444:  execv(rpmbuild) failed: No such file or directory
DEBUG util.py:598:  Child return code was: 1
DEBUG util.py:169:  kill orphans

Any ideas?

It says that rpmbuild is not installed. Are srpm-build/build groups defined? Compare with output of:

koji -s https://koji.fedoraproject.org/kojihub list-groups f34-build

Metadata Update from @tkopecek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
Normal
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.