On Wed, 2008-07-16 at 11:06 +0800, Linul wrote: > HI: > > I'm using CentOS 5.2 for my Koji Server, but now I have a problem > about Koji CLI auth. > > According the wiki document in > http://fedoraproject.org/wiki/Koji/ServerHowTo , I setup my Koji-hub、 > Koji-web、postgresql > > , and have a koji web interface. > > I also setup my CA Center,and configure the kojiweb.conf、 > kojihub.conf、/etc/koji.conf. > > But when i execute the koji command with no username and password, the > messages is: > > Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL > routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]
Your client certificate file (indicated by "cert" in the config file) needs to contain both the certificate and private key. Your private key is missing. > why? > > thanks..... > > > /etc/koji.conf: > > [koji] > > ;configuration for koji cli tool > > ;url of XMLRPC server > ;server = http://koji.fedoraproject.org/kojihub > server = http://koji.ossii.com.tw/kojihub > > ;url of web interface > ;weburl = http://koji.fedoraproject.org/koji > weburl = http://koji.ossii.com.tw/koji > > ;url of package download site > ;pkgurl = http://koji.fedoraproject.org/packages > pkgurl = http://koji.ossii.com.tw/packages > > ;path to the koji top directory > topdir = /mnt/koji > > ;configuration for SSL athentication > > ;client certificate > ;cert = ~/.fedora.cert > cert = /etc/kojid/kojiadmin.crt > > ;certificate of the CA that issued the client certificate > ;ca = ~/.fedora-upload-ca.cert > ca = /etc/kojid/kojiadmin.key > > ;certificate of the CA that issued the HTTP server certificate > ;serverca = ~/.fedora-server-ca.cert > serverca = /etc/httpd/conf.d/ssl/ossiikojica.crt > > > kojihub.conf: > > <Directory /usr/share/koji-hub> > SetHandler mod_python > PythonHandler kojixmlrpc > PythonOption DBName koji > PythonOption DBUser kevin > PythonOption DBHost 127.0.0.1 > PythonOption KojiDir /mnt/koji > > # Kerberos auth configuration > # PythonOption AuthPrincipal [EMAIL PROTECTED] > # PythonOption AuthKeytab /etc/koji.keytab > # PythonOption ProxyPrincipals [EMAIL PROTECTED] > # format string for host principals (%s = hostname) > # PythonOption HostPrincipalFormat compile/[EMAIL PROTECTED] > # end Kerberos auth configuration > > # SSL client certificate auth configuration > # the client username is the common name of the subject of > their client certificate > PythonOption DNUsernameComponent CN > # separate multiple DNs with | > # PythonOption ProxyDNs "/C=US/ST=Massachusetts/O=Example > Org/OU=Example User/CN=example/[EMAIL PROTECTED]" > PythonOption ProxyDNs "/C=TW/ST=Taiwan/O=OSSII/OU=Koji Hub > Server/CN=OSSII Koji Server CA/[EMAIL PROTECTED]" > # end SSL client certificate auth configuration > > PythonOption LoginCreatesUser On > PythonOption KojiWebURL http://koji.ossii.com.tw/koji > > # The domain name that will be appended to Koji usernames > # when creating email notifications > PythonOption EmailDomain example.com > # PythonOption KojiDebug On > # PythonOption KojiTraceback "extended" > # sending tracebacks to the client isn't very helpful for > debugging xmlrpc > PythonDebug Off > # autoreload is mostly useless to us (it would only reload > kojixmlrpc.py) > PythonAutoReload Off > </Directory> > > # uncomment this to enable authentication via SSL client certificates > <Location /kojihub> > SSLOptions +StdEnvVars > </Location> > # these options must be enabled globally (in ssl.conf) > SSLVerifyClient require > SSLVerifyDepth 10 > > kojiweb.conf: > > Alias /koji "/usr/share/koji-web/scripts/" > > <Directory "/usr/share/koji-web/scripts/"> > # Config for the publisher handler > SetHandler mod_python > PythonHandler mod_python.publisher > > # General settings > PythonDebug On > PythonOption KojiHubURL http://koji.ossii.com.tw/kojihub > PythonOption KojiWebURL http://koji.ossii.com.tw/koji > PythonOption KojiPackagesURL > http://koji.ossii.com.tw/koji/packages > PythonOption WebPrincipal koji/[EMAIL PROTECTED] > PythonOption WebKeytab /etc/httpd.keytab > PythonOption WebCCache /var/tmp/kojiweb.ccache > PythonOption WebCert /etc/httpd/conf.d/ssl/kojiweb.crt > PythonOption ClientCA /etc/httpd/conf.d/ssl/kojiweb.key > PythonOption KojiHubCA /etc/httpd/conf.d/ssl/ossiikojica.crt > PythonOption LoginTimeout 72 > # This must be changed before deployment > PythonOption Secret CHANGE_ME > PythonPath "sys.path + ['/usr/share/koji-web/lib']" > PythonCleanupHandler kojiweb.handlers::cleanup > PythonAutoReload Off > </Directory> > <Location /koji/login> > SSLOptions +StdEnvVars > </Location> > # these options must be enabled globally (in ssl.conf) > SSLVerifyClient require > SSLVerifyDepth 10 > > Alias /koji-static/ "/usr/share/koji-web/static/" > > <Directory "/usr/share/koji-web/static/"> > Options None > AllowOverride None > Order allow,deny > Allow from all > </Directory> > > ssl.conf > > SSLCertificateFile /etc/httpd/conf.d/ssl/kojihub.crt > SSLCertificateKeyFile /etc/httpd/conf.d/ssl/kojihub.key > SSLCACertificateFile /etc/httpd/conf.d/ssl/ossiikojica.crt > SSLVerifyClient require > SSLVerifyDepth 10 > > > > > -- > ============================================================================= > 林毓能 > Linul > RedHat Certified Engineer > > TsLG網路工作室:http://www.tslg.idv.tw > TsLG城市午後:http://blog.tslg.idv.tw > Linul攝影紀實:http://photo.tslg.idv.tw > 手機:0939797462 > E-mail : [EMAIL PROTECTED]; [EMAIL PROTECTED] > ============================================================================= > -- > Fedora-buildsys-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/fedora-buildsys-list -- Fedora-buildsys-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
