Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
El dom, 23-04-2017 a las 01:05 +, Globe Trotter escribió: > > Hi, > > I am trying to build a package on koji using: > > koji build --scratch f25 thaali-0.4.2-1.fc25.src.rpm what version of koji is installed? Dennis signature.asc Description: This is a digitally signed message part ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
Thanks! I had all the packages installed (updated versions). But removing ~/.koji/config seems to have done the trick. Thanks again!Best wishes. From: Sérgio Basto To: Globe Trotter ; Development discussions related to Fedora Sent: Sunday, April 23, 2017 10:02 AM Subject: Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) From: https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016 Question: I get an error "SSL: CERTIFICATE_VERIFY_FAILED" when trying to use koji Answer: This means you have an outdated configuration file. Please make sure first that you have the package versions as described in the list above. If you do have those versions, please check if you have a /etc/koji.conf.rpmnew, in which case you need to move that to /etc/koji.conf. If you don't, check if you have a ~/.koji/config file, in which case you want to remove that. is this problem ? On Dom, 2017-04-23 at 13:29 +, Globe Trotter wrote: > > > From: Peter Robinson > To: Development discussions related to Fedora ect.org> > Cc: Globe Trotter > Sent: Sunday, April 23, 2017 6:31 AM > Subject: Re: Question on koji error: SSLError: [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) > > On Sun, Apr 23, 2017 at 11:28 AM, Kai Engert wrote: > > On Sun, 2017-04-23 at 01:05 +, Globe Trotter wrote: > >> Hi, > >> I am trying to build a package on koji using: > >> koji build --scratch f25 thaali-0.4.2-1.fc25.src.rpm > >> > >> and I get: > >> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify > failed > >> (_ssl.c:661) > >> > >> What does this mean? I have both kerberos ticketing and ssh set > up. > >> Valid starting Expires Service principal > >> 04/22/2017 20:00:42 04/23/2017 20:00:16 host/koji.fedoraproject. > org@FEDORAPR > >> OJECT.ORG > >> renew until 04/29/2017 20:00:16 > >> 04/22/2017 20:00:38 04/23/2017 20:00:16 krbtgt/FEDORAPROJECT.ORG > @FEDORAPROJE > >> CT.ORG > >> renew until 04/29/2017 20:00:16 > > > > I don't get an error when I try to submit a scratch build. > > Have you got an old .fedora.cert cert file that's recently expired, > you should be able to just remove it. > > > I removed both .fedora.cert and .fedora-upload-ca.cert, one by one, > to no avail. I also have a .fedora-server-ca.cert which I then > removed. But now, the command hangs. > > I went and regenerated fedora-packager-setup > > and now I am back to the same problem. > > Btw, > > $ openssl s_client -showcerts -connect koji.fedoraproject.org:443 > > gives no errors but > > $ /usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h > koji.fedoraproject.org -p 443 > tstclnt: error setting SSL/TLS version range : > SSL_ERROR_INVALID_VERSION_RANGE: SSL version range is not valid. > > but does. > > Thanks! > aarem > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org -- Sérgio M. B. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
From: https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016 Question: I get an error "SSL: CERTIFICATE_VERIFY_FAILED" when trying to use koji Answer: This means you have an outdated configuration file. Please make sure first that you have the package versions as described in the list above. If you do have those versions, please check if you have a /etc/koji.conf.rpmnew, in which case you need to move that to /etc/koji.conf. If you don't, check if you have a ~/.koji/config file, in which case you want to remove that. is this problem ? On Dom, 2017-04-23 at 13:29 +, Globe Trotter wrote: > > > From: Peter Robinson > To: Development discussions related to Fedora ect.org> > Cc: Globe Trotter > Sent: Sunday, April 23, 2017 6:31 AM > Subject: Re: Question on koji error: SSLError: [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) > > On Sun, Apr 23, 2017 at 11:28 AM, Kai Engert wrote: > > On Sun, 2017-04-23 at 01:05 +, Globe Trotter wrote: > >> Hi, > >> I am trying to build a package on koji using: > >> koji build --scratch f25 thaali-0.4.2-1.fc25.src.rpm > >> > >> and I get: > >> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify > failed > >> (_ssl.c:661) > >> > >> What does this mean? I have both kerberos ticketing and ssh set > up. > >> Valid starting Expires Service principal > >> 04/22/2017 20:00:42 04/23/2017 20:00:16 host/koji.fedoraproject. > org@FEDORAPR > >> OJECT.ORG > >> renew until 04/29/2017 20:00:16 > >> 04/22/2017 20:00:38 04/23/2017 20:00:16 krbtgt/FEDORAPROJECT.ORG > @FEDORAPROJE > >> CT.ORG > >> renew until 04/29/2017 20:00:16 > > > > I don't get an error when I try to submit a scratch build. > > Have you got an old .fedora.cert cert file that's recently expired, > you should be able to just remove it. > > > I removed both .fedora.cert and .fedora-upload-ca.cert, one by one, > to no avail. I also have a .fedora-server-ca.cert which I then > removed. But now, the command hangs. > > I went and regenerated fedora-packager-setup > > and now I am back to the same problem. > > Btw, > > $ openssl s_client -showcerts -connect koji.fedoraproject.org:443 > > gives no errors but > > $ /usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h > koji.fedoraproject.org -p 443 > tstclnt: error setting SSL/TLS version range : > SSL_ERROR_INVALID_VERSION_RANGE: SSL version range is not valid. > > but does. > > Thanks! > aarem > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org -- Sérgio M. B. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
From: Jens Lody To: devel@lists.fedoraproject.org Sent: Sunday, April 23, 2017 9:49 AM Subject: Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) Am Sun, 23 Apr 2017 13:29:30 + (UTC) schrieb Globe Trotter : > > $ openssl s_client -showcerts -connect koji.fedoraproject.org:443 > > gives no errors but > $ /usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h > koji.fedoraproject.org -p 443tstclnt: error setting SSL/TLS version > range : SSL_ERROR_INVALID_VERSION_RANGE: SSL version range is not > valid. > > but does. > Thanks!aarem > > You need to restrict the default version-range by adding "-V tls1.0:" (note the colon): /usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h koji.fedoraproject.org -p 443 -V tls1.0: Thanks! Now, I get a hang at: .. end of certificate chain information subject DN: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US issuer DN: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US 0 cache hits; 1 cache misses, 0 cache not reusable 0 stateless resumes Received 0 Cert Status items (OCSP stapled data) Thanks again! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
Am Sun, 23 Apr 2017 13:29:30 + (UTC) schrieb Globe Trotter : > > $ openssl s_client -showcerts -connect koji.fedoraproject.org:443 > > gives no errors but > $ /usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h > koji.fedoraproject.org -p 443tstclnt: error setting SSL/TLS version > range : SSL_ERROR_INVALID_VERSION_RANGE: SSL version range is not > valid. > > but does. > Thanks!aarem > > You need to restrict the default version-range by adding "-V tls1.0:" (note the colon): /usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h koji.fedoraproject.org -p 443 -V tls1.0: Jens pgpXACHaVQ_v0.pgp Description: Digitale Signatur von OpenPGP ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
From: Peter Robinson To: Development discussions related to Fedora Cc: Globe Trotter Sent: Sunday, April 23, 2017 6:31 AM Subject: Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) On Sun, Apr 23, 2017 at 11:28 AM, Kai Engert wrote: > On Sun, 2017-04-23 at 01:05 +, Globe Trotter wrote: >> Hi, >> I am trying to build a package on koji using: >> koji build --scratch f25 thaali-0.4.2-1.fc25.src.rpm >> >> and I get: >> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed >> (_ssl.c:661) >> >> What does this mean? I have both kerberos ticketing and ssh set up. >> Valid starting Expires Service principal >> 04/22/2017 20:00:42 04/23/2017 20:00:16 >> host/koji.fedoraproject.org@FEDORAPR >> OJECT.ORG >> renew until 04/29/2017 20:00:16 >> 04/22/2017 20:00:38 04/23/2017 20:00:16 >> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJE >> CT.ORG >> renew until 04/29/2017 20:00:16 > > I don't get an error when I try to submit a scratch build. Have you got an old .fedora.cert cert file that's recently expired, you should be able to just remove it. I removed both .fedora.cert and .fedora-upload-ca.cert, one by one, to no avail. I also have a .fedora-server-ca.cert which I then removed. But now, the command hangs. I went and regenerated fedora-packager-setup and now I am back to the same problem. Btw, $ openssl s_client -showcerts -connect koji.fedoraproject.org:443 gives no errors but $ /usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h koji.fedoraproject.org -p 443tstclnt: error setting SSL/TLS version range : SSL_ERROR_INVALID_VERSION_RANGE: SSL version range is not valid. but does. Thanks!aarem ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
On Sun, Apr 23, 2017 at 11:28 AM, Kai Engert wrote: > On Sun, 2017-04-23 at 01:05 +, Globe Trotter wrote: >> Hi, >> I am trying to build a package on koji using: >> koji build --scratch f25 thaali-0.4.2-1.fc25.src.rpm >> >> and I get: >> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed >> (_ssl.c:661) >> >> What does this mean? I have both kerberos ticketing and ssh set up. >> Valid starting Expires Service principal >> 04/22/2017 20:00:42 04/23/2017 20:00:16 >> host/koji.fedoraproject.org@FEDORAPR >> OJECT.ORG >> renew until 04/29/2017 20:00:16 >> 04/22/2017 20:00:38 04/23/2017 20:00:16 >> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJE >> CT.ORG >> renew until 04/29/2017 20:00:16 > > I don't get an error when I try to submit a scratch build. Have you got an old .fedora.cert cert file that's recently expired, you should be able to just remove it. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
On Sun, 2017-04-23 at 01:05 +, Globe Trotter wrote: > Hi, > I am trying to build a package on koji using: > koji build --scratch f25 thaali-0.4.2-1.fc25.src.rpm > > and I get: > SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed > (_ssl.c:661) > > What does this mean? I have both kerberos ticketing and ssh set up. > Valid starting Expires Service principal > 04/22/2017 20:00:42 04/23/2017 20:00:16 host/koji.fedoraproject.org@FEDORAPR > OJECT.ORG > renew until 04/29/2017 20:00:16 > 04/22/2017 20:00:38 04/23/2017 20:00:16 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJE > CT.ORG > renew until 04/29/2017 20:00:16 I don't get an error when I try to submit a scratch build. I'm not sure what hosts the koji tool will connect to, is that limited to https://koji.fedoraproject.org/ ? Do these command give you cert validation errors? openssl s_client -showcerts -connect koji.fedoraproject.org:443 /usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h koji.fedoraproject.org -p 443 (Feel free to mail the output from these commands to me.) Maybe you're behind a man-in-the-middle proxy? Kai ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org