Description of problem: koji -d list-tagged on cbs.centos.org using https Version-Release number of selected component: koji-1.9.0-15.fc22 Additional info: reporter: libreport-2.5.1 cmdline: /usr/bin/python /usr/bin/koji -d list-tagged virt7-kvm-common-testing dso_list: python-libs-2.7.10-1.fc22.x86_64 executable: /usr/bin/koji kernel: 4.0.4-303.fc22.x86_64 runlevel: N 5 type: Python uid: 20528 Truncated backtrace: ssl.py:808:do_handshake:SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) Traceback (most recent call last): File "/usr/bin/koji", line 6575, in <module> rv = locals()[command].__call__(options, session, args) File "/usr/bin/koji", line 2620, in anon_handle_list_tagged activate_session(session) File "/usr/bin/koji", line 6545, in activate_session ensure_connection(session) File "/usr/bin/koji", line 305, in ensure_connection ret = session.getAPIVersion() File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1556, in __call__ return self.__func(self.__name,args,opts) File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1899, in _callMethod return self._sendCall(handler, headers, request) File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1810, in _sendCall return self._sendOneCall(handler, headers, request) File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1828, in _sendOneCall cnx.endheaders() File "/usr/lib64/python2.7/httplib.py", line 1049, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 893, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 855, in send self.connect() File "/usr/lib64/python2.7/httplib.py", line 1274, in connect server_hostname=server_hostname) File "/usr/lib64/python2.7/ssl.py", line 352, in wrap_socket _context=self) File "/usr/lib64/python2.7/ssl.py", line 579, in __init__ self.do_handshake() File "/usr/lib64/python2.7/ssl.py", line 808, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) Local variables in innermost frame: self: <ssl.SSLSocket object at 0x7f8d41203230> block: False timeout: 43200.0
Created attachment 1038769 [details] File: backtrace
Created attachment 1038770 [details] File: environ
I think this issue is related to python. If downgrade to F21 python package (2.7.8), it does not fail on F22 and F23.
Created attachment 1075613 [details] Workaround to make koji client working against CBS instance when using python >= 2.7.9 Needs CBS admin input, I don't get why the same koji client works fine with Fedora Koji instance and not CBS. This could a configuration issue.
The workaround works for me as well.
Just to add that the current certificate presented by that koji instance doesn't seem to be the right one : it's CN is actually "kojihub" which isn't correct and so doesn't match with hostname cbs.centos.org, reason why python complains (and for a good reason) Just to verify : can someone update is local resolver ( /etc/hosts is fine) with 66.187.224.194 kojihub and then ~/.koji/config with kojihub instead of cbs.centos.org and verify that "koji moshimoshi" then works fine without that patch ?
Well, when I try the "koji moshimoshi", I get correct output even without changing the host. What doesn't work for me is for example "koji list-targets". So, I've added "66.187.224.194 kojihub" into /etc/hosts and used the following values in the koji config: server = https://kojihub/kojihub/ weburl = https://kojihub/koji topurl = https://kojihub/kojifiles But I still get the same output for both "koji moshimoshi" (works) and "koji list-targets", which prints: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Just worth noting that the distributed/given config has http://cbs.centos.org/{kojihub,koji,kojifiles} and not https. I know it can be confusing, as we give a http url, but then koji switches to TLS for cert validation. Just curious, why have you updated your config to not be the same given by the guy maintaining that koji environment ? Can you give it a try please ? Also worth noting that we'll also change all the current Koji TLS cert validation once we'll migrate to FAS (and it's now ready) so all those bad certs will go away (as it's true that there is still an misconfiguration issue at the cbs/koji level)
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.