another issue to fix with the FAS2 switch: Kojis ssl certificate

Dennis Gilmore dennis at ausil.us
Tue Mar 11 16:22:20 UTC 2008


On Tuesday 11 March 2008, Till Maas wrote:
> Hiyas,
>
> now that everyone needs to change his password, can we now also deploy the
> new certifcate for koji? This will make it possible to verify whether or
> not one can trust the certificate for koji and the ticket[1] is now 7
> months old, i.e. about a full Fedora release cycle. Therefore I guess there
> won't be a better time than now.
>
> Regards,
> Till
>
> [1] https://fedorahosted.org/fedora-infrastructure/ticket/88

No,  Because it will break user certs.  To make it work would require that 
users all get entirely new server cert files.  We need to redo our entire CA 
system.  We also need to consider  the ramifications for Secondary arches,  
deploying a new CA  would require each and every Secondary arch to purchase a 
cert from the same CA.  or somebody to purchase a cert that covered 
*.koji.fedoraproject.org from the same CA. 

we are looking at deploying the hub on a separate box from the frontend which 
would allow us to do what you are wanting  but would not look after secondary 
arches.  

We currently use 2 different CA's in our setup.  One that is used only for 
user certs and one that is used  for the builders and frontend.   I would 
like to move to a new Single CA setup.  In this world  when you import your 
fedora user cert for browser authentication you would automatically recognise 
the CA.  though this would only be valid for Fedora contributors.

right now we have up ia64.koji.fedoraproject.org and 
sparc.koji.fedoraproject.org  in addition to koji.fedoraproject.org   you can 
log into any of them using your fedora cert.  We need to ensure that this is 
always the case.     in addition we will soon have 
s390.koji.fedoraproject.org  and eventually arm.fedoraproject.org and 
alpha.fedoraproject.org   as well as any others that come along  say 
mips/mips64, hppa, whatever arch someone wants to support.

all of which we need to be able to provide authentication for users across all 
servers with one usercert.  

Please bring up ideas on redoing our CA infrastructure We need to start a 
project to do it.  Im hope that Red Hat open sources  Red Hat Certificate 
System  soon as id like to evaluate it to see if it will work for us.

the secondary arch hubs know about the user CA  and have a cert from the 
builder CA and know about it as well.  in addition they use their own 3rd CA 
for identifying the builders, kojira, garbage collection, etc

Dennis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080311/0447638b/attachment.sig>


More information about the Fedora-infrastructure-list mailing list