-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 22/09/15 00:42, Haïkel wrote:

Hi,

I finally found a workaround to fix CBS issues when using python

...

= 2.7.9 (like Fedora 22 and above)

https://bugzilla.redhat.com/show_bug.cgi?id=1231616 Though it's dirty, but it's no different from python 2.7.8 and older behavior.

Starting python 2.7.9, python ssl standard module enable certificate verification by default, hence causing koji client to fail when interacting with CBS. What I do not get is why withe the same koki client I have no issues with Fedora Koji instance, and why it fails with CBS. People using F21 and older or CentOS, won't experience that issue.

I suspect either a configuration or difference of server versions difference, so I'd like CBS admins to investigate that issue.

Regards, H.

I'll investigate the issue, but as I'm myself not using Fedora , that will be more difficult. I'll setup a VM for that test. Also, if python does cert validation (which I was hoping it was already doing), I'd like to know why it complains about it, if you have to point koji (through ~/.koji/config) to both ca and serverca.

Worth noting that we'll migrate "soon" (more details through the cbs/infra weekly meeting) to FAS, so every CBS packager/builder will have to modify his config. We're also testing to offer different certs for koji communication : the kojihub/kojiweb cert will be signed by a "trusted" CA (aka serverca in your ~/.koji/config file) while FAS will be the CA used to sign cert used for kojid builders nodes and koji client (so for "users")

- -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab