Can't make Koji Work on A Centos6 server

Hanynowsky asked:

I setup the koji build environment in a Centos6 Machine server as suggested by the documentation (
I could properly access the Koji Web using HTTP, yet I’m facing an SSL certificate trouble when switching to HTTPS:

Client Browser error produced by Mozilla FireFox:

SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert)
  • Having enabled two admin users, I get a Koji specific error when running the command:

    su kojiman; koji call getLoggedInUser

Errors under : kojiman:

Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]


su kojiadmin; koji call getLoggedInUser
Errors under: kojiadmin

Error: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert bad certificate'), ('SSL routines', 'SSL3_WRITE_BYTES', 'ssl handshake failure')]

While in httpd ssl log I have the following:


SSL errors:

[Wed Feb 05 18:37:28 2014] [error] [client] Certificate Verification: Error (19): self signed certificate in certificate chain
[Wed Feb 05 18:44:06 2014] [warn] RSA server certificate CommonName (CN) `kojihub' does NOT match server name!?
[Wed Feb 05 18:44:06 2014] [warn] RSA server certificate CommonName (CN) `kojihub' does NOT match server name!?
  • When I test the certificate I get with openSSL:

    openssl s_client -connect localhost:443 -tls1 -CAfile /etc/pki/koji/kojihub.pem

I indeed get:

verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:unable to verify the first certificate

verify return:1
139736479307592:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139736479307592:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
Verify return code: 21 (unable to verify the first certificate)

My answer:

The kojihub and kojiweb certificates must have their CN set to the fully qualified domain name of each respective server. This was in the documentation:

Two of the certificates (kojihub and kojiweb) are used as server side certificates that authenticate the server to the client. For this reason, you want the common name on both of those certs to be the fully qualified domain name of the web server they are running on so that clients don’t complain about the common name and the server not being the same. You can set the OU for these two certificates to be kojihub and kojiweb for identification purposes.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.