Anton Marchukov created OVIRT-2052:
--------------------------------------
Summary: Updated SSL Stores on resources.ovirt.org
Key: OVIRT-2052
URL: https://ovirt-jira.atlassian.net/browse/OVIRT-2052
Project: oVirt - virtualization made easy
Issue Type: By-EMAIL
Reporter: Anton Marchukov
Assignee: infra
resources.ovirt.org has old SSL stores and does not consider lets
encrypt certs as valid:
ovpn-205-70:~ amarchuk$ ssh http://resources.ovirt.org
ssh: Could not resolve hostname http://resources.ovirt.org: nodename
nor servname provided, or not known
ovpn-205-70:~ amarchuk$ ssh resources.ovirt.org
Last login: Thu May 10 14:19:17 2018 from monitoring.ovirt.org
[amarchuk@resources02 ~]$ curl https://jenkins.ovirt.org/
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
We also have a python utility called repoman that uses the bundle
certs inside “python-requests” library so we need to make sure it is
updated too along with the system certs.
We might have the same problem on other servers, e.g. on Jenkins and
it’s slaves so might make sense to analyse the situation and extend
this ticket.
--
This message was sent by Atlassian Jira
(v1001.0.0-SNAPSHOT#100085)
_______________________________________________
Infra mailing list -- infra@ovirt.org
To unsubscribe send an email to infra-le...@ovirt.org
