Summary: Updated SSL Stores on resources.ovirt.org
Key: OVIRT-2052
URL: https://ovirt-jira.atlassian.net/browse/OVIRT-2052
Project: oVirt - virtualization made easy
Issue Type: By-EMAIL
Reporter: Anton Marchukov
Assignee: infra
resources.ovirt.org has old SSL stores and does not consider lets encrypt certs as valid:
ovpn-205-70:~ amarchuk$ ssh http://resources.ovirt.org ssh: Could not resolve hostname http://resources.ovirt.org: nodename nor servname provided, or not known ovpn-205-70:~ amarchuk$ ssh resources.ovirt.org Last login: Thu May 10 14:19:17 2018 from monitoring.ovirt.org [amarchuk@resources02 ~]$ curl https://jenkins.ovirt.org/ curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a “bundle” of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
We also have a python utility called repoman that uses the bundle certs inside “python-requests” library so we need to make sure it is updated too along with the system certs.
We might have the same problem on other servers, e.g. on Jenkins and it’s slaves so might make sense to analyse the situation and extend this ticket.
— This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100085)