Ticket #88 (closed annoyance: wontfix)

Opened 7 years ago

Last modified 6 years ago

https://koji.fedoraproject.org is signed with an unknown certificate (extras64.linux.duke.edu)

Reported by: till Owned by: ausil
Priority: major Milestone:
Component: Security Version:
Severity: Normal Keywords:
Cc: toshio Blocked By:
Blocking: Sensitive:

Description

When I connect to https://koji.fedoraproject.org firefox warns me about an untrusted certificate. The certificate is signed by extras64.linux.duke.edu as far as I understand. Please use a certificate that I can verify, i.e. that firefox knows, instead.

Change History

comment:1 Changed 7 years ago by lmacken

  • Owner changed from lmacken to mbonnet

comment:2 Changed 7 years ago by till

ping? Can you please fix this? This is not only a security issue, but also embarrassing for the Fedora Project itself, imho.

comment:3 Changed 7 years ago by toshio

mbonnet: Could we put behind https://admin.fp.o like bodhi, mirrormanager, and the other applications or will that interfere with koji's certificate authentication?

comment:4 Changed 7 years ago by toshio

  • Cc toshio added

comment:5 Changed 6 years ago by mmcgrath

  • Owner changed from mbonnet to ausil

Nothing is ever as easy as it seems. We now have a cert, but it will require changes to everyone's client (~/.fedora-server-ca.cert) dgilmore is point man on this. We'll have to announce and come up with a plan.

comment:6 Changed 6 years ago by till

Will this be fixed now with the switch to the new FAS? Everyone has to change the password, so changing the certificate now would be no big deal, too.

comment:7 Changed 6 years ago by johan

There is currently, according to this post on fedora-infrastructure-list, a wildcard certificate for *.fp.o. Is it possible to use that certificate to resolve this issue?

comment:8 follow-up: ↓ 9 Changed 6 years ago by ausil

  • Resolution set to wontfix
  • Status changed from new to closed

that does not resolve the issue for secondary arches or user certificates.

I'm going to close this as wontfix

comment:9 in reply to: ↑ 8 Changed 6 years ago by till

Replying to ausil:

that does not resolve the issue for secondary arches or user certificates.

Just in case someone else wants to fix this in the future, this is what can be done:

Alternative 1) Run koji-hub and the web frontend on different ip addresses Alternative 2) Use different CAs to verify the secondary archs and the main koji instance, which is probably possible, because nobody objected here: https://www.redhat.com/archives/fedora-infrastructure-list/2008-March/msg00080.html

As far as I can see, there is no issue regarding the user certificates, because they do not need to be signed by the same CA as the koji web interface certificate is.

Note: See TracTickets for help on using tickets.