From: Peter Robinson <pbrobinson@xxxxxxxxx>
To: Development discussions related to Fedora <devel@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: Globe Trotter <itsme_410@xxxxxxxxx>
Sent: Sunday, April 23, 2017 6:31 AM
Subject: Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
On Sun, Apr 23, 2017 at 11:28 AM, Kai Engert <kaie@xxxxxxx> wrote:
> On Sun, 2017-04-23 at 01:05 +0000, Globe Trotter wrote:
>> Hi,
>> I am trying to build a package on koji using:
>> koji build --scratch f25 thaali-0.4.2-1.fc25.src.rpm
>>
>> and I get:
>> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
>> (_ssl.c:661)
>>
>> What does this mean? I have both kerberos ticketing and ssh set up.
>> Valid starting Expires Service principal
>> 04/22/2017 20:00:42 04/23/2017 20:00:16 host/koji.fedoraproject.org@FEDORAPR
>> OJECT.ORG
>> renew until 04/29/2017 20:00:16
>> 04/22/2017 20:00:38 04/23/2017 20:00:16 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJE
>> CT.ORG
>> renew until 04/29/2017 20:00:16
>
> I don't get an error when I try to submit a scratch build.
Have you got an old .fedora.cert cert file that's recently expired,
> On Sun, 2017-04-23 at 01:05 +0000, Globe Trotter wrote:
>> Hi,
>> I am trying to build a package on koji using:
>> koji build --scratch f25 thaali-0.4.2-1.fc25.src.rpm
>>
>> and I get:
>> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
>> (_ssl.c:661)
>>
>> What does this mean? I have both kerberos ticketing and ssh set up.
>> Valid starting Expires Service principal
>> 04/22/2017 20:00:42 04/23/2017 20:00:16 host/koji.fedoraproject.org@FEDORAPR
>> OJECT.ORG
>> renew until 04/29/2017 20:00:16
>> 04/22/2017 20:00:38 04/23/2017 20:00:16 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJE
>> CT.ORG
>> renew until 04/29/2017 20:00:16
>
> I don't get an error when I try to submit a scratch build.
Have you got an old .fedora.cert cert file that's recently expired,
you should be able to just remove it.
I removed both .fedora.cert and .fedora-upload-ca.cert, one by one, to no avail. I also have a .fedora-server-ca.cert which I then removed. But now, the command hangs.
I went and regenerated fedora-packager-setup
and now I am back to the same problem.
Btw,
$ openssl s_client -showcerts -connect koji.fedoraproject.org:443
gives no errors but
$ /usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h koji.fedoraproject.org -p 443
tstclnt: error setting SSL/TLS version range : SSL_ERROR_INVALID_VERSION_RANGE: SSL version range is not valid.
but does.
Thanks!
aarem
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
