Learn more about these different git repos.
Other Git URLs
Hello everyone,
I am trying to set up a custom server in my VM with Fedora WS 34, at this moment I am trying the Kerberos Authentication but I am getting issues with the SSL Login, is there any SSL config needed? I am following this guide https://docs.pagure.org/koji/server_howto/
When I try to do koji moshimoshi, I am getting the following error:
[root@koji lerodrig]# KRB5_TRACE=/dev/stdout koji -d hello 2021-09-24 15:27:13,591 [DEBUG] koji: Opening new requests session 2021-09-24 15:27:13,591 [DEBUG] koji: Opening new requests session 2021-09-24 15:27:13,640 [DEBUG] koji: Opening new requests session 2021-09-24 15:27:13,641 [ERROR] koji: (gssapi auth failed: requests.exceptions.SSLError: HTTPSConnectionPool(host='koji.ksi.com', port=443): Max retries exceeded with url: /kojihub/ssllogin (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))) Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/ Traceback (most recent call last): File "/usr/bin/koji", line 335, in <module> rv = locals()[command].__call__(options, session, args) File "/usr/lib/python3.9/site-packages/koji_cli/commands.py", line 7680, in handle_moshimoshi activate_session(session, options) File "/usr/lib/python3.9/site-packages/koji_cli/lib.py", line 749, in activate_session session.gssapi_login(proxyuser=runas) File "/usr/lib/python3.9/site-packages/koji/__init__.py", line 2531, in gssapi_login raise GSSAPIAuthError(err) koji.GSSAPIAuthError: unable to obtain a session (gssapi auth failed: requests.exceptions.SSLError: HTTPSConnectionPool(host='koji.ksi.com', port=443): Max retries exceeded with url: /kojihub/ssllogin (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))) Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/ [root@koji lerodrig]#
Koji supports two forms of authentication:
Both of these require your hub web server (Apache) to use HTTPS to protect the connection.
Specifically, if you don't use HTTPS to protect the hub, a passive adversary could listen to the plaintext HTTP connection to observe any private information in the client's request or server's response. In Koji's case, observers could snoop the initial GSSAPI login to /kojihub/ssllogin, or snoop the client's session-id and private session-key that the client sends in every subsequent authenticated XML-RPC HTTP request. So you're right to use HTTPS on the hub.
That particular CERTIFICATE_VERIFY_FAILED error means that your Koji client is unable to verify the HTTPS server certificate that the hub presents to clients.
CERTIFICATE_VERIFY_FAILED
The easiest way to get rid of this error is to trust the CA system-wide on your client. Assuming you generated a CA on your Koji hub box, securely copy it to each client, and place the CA file into /etc/pki/ca-trust/source/anchors on each client, like so:
/etc/pki/ca-trust/source/anchors
sudo cp /tmp/koji-ca.crt -o /etc/pki/ca-trust/source/anchors/koji-ca.crt sudo update-ca-trust extract
Then you should be able to make curl requests of your hub.
curl
The Server HowTo instructions for openssl are complicated. I wrote https://pagure.io/koji-tools/blob/master/f/src/bin/koji-ssl-admin to simplify the steps.
openssl
To generate a CA keypair:
./src/bin/koji-ssl-admin new-ca --common-name "lerodrig koji ca"
To generate the keypair for HTTPS service (for kojihub + kojiweb):
./src/bin/koji-ssl-admin server-csr koji.ksi.com ./src/bin/koji-ssl-admin sign koji.ksi.com.csr
Then copy those files to your hub's /etc/pki/koji directory:
/etc/pki/koji
sudo cp koji.ksi.com.chain.crt /etc/pki/koji/ sudo cp koji.ksi.com.key /etc/pki/koji/
Your Apache configuration should point at those files:
SSLCertificateKeyFile /etc/pki/koji/koji.ksi.com.key SSLCertificateFile /etc/pki/koji/koji.ksi.com.chain.crt
(Omit SSLCertificateChainFile because SSLCertificateFile does the same thing in Apache 2.4.8+. Omit SSLCACertificateFile, since you're doing Kerberos auth, not SSL client auth.)
SSLCertificateChainFile
SSLCertificateFile
SSLCACertificateFile
Finally, reload Apache:
sudo systemctl reload httpd
Does it address your issue?
Metadata Update from @tkopecek: - Custom field Size adjusted to None
Yes, thank you so much. Now I can authenticate and use koji, but I am having issues building any RPM.
[root@koji tmp]# koji build --scratch dist-coreos koji-1.25.0-2.fc34.src.rpm Uploading srpm: koji-1.25.0-2.fc34.src.rpm [====================================] 100% 00:00:00 1.15 MiB 19.78 MiB/sec Created task: 3 Task info: https://koji.ksi.com/koji/taskinfo?taskID=3 Watching tasks (this may be safely interrupted)... 3 build (dist-coreos, koji-1.25.0-2.fc34.src.rpm): free 3 build (dist-coreos, koji-1.25.0-2.fc34.src.rpm): free -> open (builder1.koji.ksi.com) 4 rebuildSRPM (noarch): free 4 rebuildSRPM (noarch): free -> open (builder1.koji.ksi.com) 4 rebuildSRPM (noarch): open (builder1.koji.ksi.com) -> FAILED: BuildError: error building srpm, mock exited with status 1; see build.log or root.log for more information Relevant logs: https://koji.ksi.com//work/tasks/4/4/mock_output.log https://koji.ksi.com//work/tasks/4/4/hw_info.log https://koji.ksi.com//work/tasks/4/4/state.log https://koji.ksi.com//work/tasks/4/4/build.log https://koji.ksi.com//work/tasks/4/4/root.log 0 free 1 open 0 done 1 failed 3 build (dist-coreos, koji-1.25.0-2.fc34.src.rpm): open (builder1.koji.ksi.com) -> FAILED: BuildError: error building srpm, mock exited with status 1; see build.log or root.log for more information 0 free 0 open 0 done 2 failed 3 build (dist-coreos, koji-1.25.0-2.fc34.src.rpm) failed
This is the mock.log
INFO: Running in chroot: ['rpmbuild', '--define', '_topdir /chroot_tmpdir/srpm_unpacked', '-bs', '--nodeps', '/chroot_tmpdir/srpm_unpacked/SPECS/koji.spec'] Start: chroot ['rpmbuild', '--define', '_topdir /chroot_tmpdir/srpm_unpacked', '-bs', '--nodeps', '/chroot_tmpdir/srpm_unpacked/SPECS/koji.spec'] execv(rpmbuild) failed: No such file or directory Finish: chroot ['rpmbuild', '--define', '_topdir /chroot_tmpdir/srpm_unpacked', '-bs', '--nodeps', '/chroot_tmpdir/srpm_unpacked/SPECS/koji.spec']
And the root.log
DEBUG file_util.py:30: touching file: /var/lib/mock/dist-coreos-build-1-1/root/.initialized INFO backend.py:391: Running in chroot: ['rpmbuild', '--define', '_topdir /chroot_tmpdir/srpm_unpacked', '-bs', '--nodeps', '/chroot_tmpdir/srpm_unpacked/SPECS/koji.spec'] DEBUG util.py:624: child environment: None DEBUG util.py:536: Using nspawn with args ['--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.508dm313:/etc/resolv.conf', '--bind=/dev/btrfs-control', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11'] DEBUG util.py:542: Executing command: ['/usr/bin/systemd-nspawn', '-q', '-M', 'c41e2fd7a1a74255a9ef4b43b8e60d38', '-D', '/var/lib/mock/dist-coreos-build-1-1/root', '-a', '--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.508dm313:/etc/resolv.conf', '--bind=/dev/btrfs-control', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11', '--console=pipe', '--setenv=TERM=vt100', '--setenv=SHELL=/bin/bash', '--setenv=HOME=/builddir', '--setenv=HOSTNAME=mock', '--setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin', '--setenv=PROMPT_COMMAND=printf "\\033]0;<mock-chroot>\\007"', '--setenv=PS1=<mock-chroot> \\s-\\v\\$ ', '--setenv=LANG=C.UTF-8', '--resolv-conf=off', 'rpmbuild', '--define', '_topdir /chroot_tmpdir/srpm_unpacked', '-bs', '--nodeps', '/chroot_tmpdir/srpm_unpacked/SPECS/koji.spec'] with env {'TERM': 'vt100', 'SHELL': '/bin/bash', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'PROMPT_COMMAND': 'printf "\\033]0;<mock-chroot>\\007"', 'PS1': '<mock-chroot> \\s-\\v\\$ ', 'LANG': 'C.UTF-8', 'SYSTEMD_NSPAWN_TMPFS_TMP': '0'} and shell False DEBUG util.py:444: execv(rpmbuild) failed: No such file or directory DEBUG util.py:598: Child return code was: 1 DEBUG util.py:169: kill orphans
Any ideas?
It says that rpmbuild is not installed. Are srpm-build/build groups defined? Compare with output of:
koji -s https://koji.fedoraproject.org/kojihub list-groups f34-build
Metadata Update from @tkopecek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.