On Thursday, November 18, 2021 1:35:29 PM CET patrick+build...@laimbock.com wrote: > Hi Pavel, > > Thank you for your feedback. > > On 18-11-2021 10:17, Pavel Raiskup wrote: > >> I did not because AFAICT the ca-bundle is for CA certificates and not > >> for a client (non-CA) certificate and key. > > > > You can get an inspiration from rhel chroots, where also client pem files > > are > > used for DNF (curl) to authenticate against RHEL CDN: > > https://github.com/rpm-software-management/mock/blob/d081bc113e3c6af9b80167592f1dc95f7edd9c58/mock/py/mockbuild/package_manager.py#L520-L533 > > Perhaps you can re-use that directory? > > Sure, I could re-use /etc/pki/entitlement for non-entitlement > certificates. But why put client certs & keys in an entitlement > directory when you can put them in the obvious (and IMHO correct) location? > > client.pem -> /etc/pki/tls/certs/ > client.key -> /etc/pki/tls/private/
You wrote that your "mock needs an access to repos". So I naturally thought that we are talking about something like the entitlement key+cert pair (which is quite a new thing in mock anyways, and the only chroot using that is RHEL, and ... /etc/pkg/entitlement is not a bad place). Though .... > > Still, the public certificate should go to the bundle, I tend to agree with > > @msuchy. > > I would agree if you were talking about a *CA* certificate? For non-CA > certificates the ca-bundle is IMHO not the proper place. > > If on RHEL & Fedora hosts these default locations are used: > > CA certificates -> ca-bundle > RHEL entitlements -> /etc/pki/entitlement/ > Public client/server certificates -> /etc/pki/tls/certs/ > Private client/server certificates -> /etc/pki/tls/private/ > > then isn't it logical to copy that behavior into the chroot? ... if for any reason you can't or don't want to use that, it's OK - I think patches are welcome, and I bet that the current mock support is really RHEL-only oriented, meaning that smaller or bigger patch would be needed anyway ;) Happy hacking! Pavel > Best, > Patrick > _______________________________________________ > buildsys mailing list -- buildsys@lists.fedoraproject.org > To unsubscribe send an email to buildsys-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ buildsys mailing list -- buildsys@lists.fedoraproject.org To unsubscribe send an email to buildsys-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
