On Wednesday, November 17, 2021 12:08:27 PM CET patrick+build...@laimbock.com wrote: > Hi Miroslav, > > Thank you for your feedback. > > On 17-11-2021 11:28, Miroslav Suchý wrote: > > Dne 16. 11. 21 v 19:37 patrick+build...@laimbock.com napsal(a): > >> Thank you (both) for your feedback. And for mock. I could not get your > >> nor Pat's suggestion to work with a self-signed certificate and key. > > > > Did you updated the ca-bundle.crt? > > > > https://unix.stackexchange.com/a/445884/100010 > > I did not because AFAICT the ca-bundle is for CA certificates and not > for a client (non-CA) certificate and key.
You can get an inspiration from rhel chroots, where also client pem files are used for DNF (curl) to authenticate against RHEL CDN: https://github.com/rpm-software-management/mock/blob/d081bc113e3c6af9b80167592f1dc95f7edd9c58/mock/py/mockbuild/package_manager.py#L520-L533 Perhaps you can re-use that directory? Still, the public certificate should go to the bundle, I tend to agree with @msuchy. Pavel > $ man update-ca-trust > update-ca-trust - manage consolidated and dynamic configuration of CA > certificates and associated trust > > I only see CA certificates mentioned in that manpage, not non-CA/client > certificates and keys. On the host the ca-bundle.crt is public (0644) > and I'd rather not put a client.key in there. IMHO this does not seem > the appropriate place or mechanism for non-CA certificates. > > >> So I came up with the attached patch. I'll be happy to create a PR/MR > >> if this is something you would consider adding? > > > > PR is always welcomed. But before we add something new I will want to > > know why the current solution does not work. > > I guess it works but IMHO it's just not a proper solution to mix CAs > with client certificates and keys. > > Best, > Patrick > _______________________________________________ > buildsys mailing list -- buildsys@lists.fedoraproject.org > To unsubscribe send an email to buildsys-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ buildsys mailing list -- buildsys@lists.fedoraproject.org To unsubscribe send an email to buildsys-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
