Discussion:
Question regarding certificates
Lev Veyde
2021-05-19 16:38:07 UTC
Permalink
Hi,

What creates the following files on the system? :

/etc/cockpit/ws-certs.d/0-self-signed-ca.pem
/etc/cockpit/ws-certs.d/0-self-signed.cert

I see that the directory is owned by the cockpit-ws package, but couldn't
find anything in the RPM scripts.

Thanks in advance,
--
Lev Veyde

Senior Software Engineer, RHCE | RHCVA | MCITP

Red Hat Israel

<https://www.redhat.com>

***@redhat.com | ***@redhat.com
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
Stephen Gallagher
2021-05-19 17:44:00 UTC
Permalink
Post by Lev Veyde
Hi,
/etc/cockpit/ws-certs.d/0-self-signed-ca.pem
/etc/cockpit/ws-certs.d/0-self-signed.cert
I see that the directory is owned by the cockpit-ws package, but couldn't
find anything in the RPM scripts.
Thanks in advance,
They aren't created in the RPM scripts because they need to be unique on
different systems (generating them in the RPM scripts would mean that
things like rpm-ostree and gold VM images would all have the same
certificates).

They're created when Cockpit starts up if they don't already exist. On
Fedora, they're usually generated by sscg.

Is there a specific question you have about these certificates?
Stephen Gallagher
2021-05-20 12:35:52 UTC
Permalink
Re-adding the original sender to the CC, since they are not subscribed.
Post by Lev Veyde
Hi,
/etc/cockpit/ws-certs.d/0-self-signed-ca.pem
/etc/cockpit/ws-certs.d/0-self-signed.cert
I see that the directory is owned by the cockpit-ws package, but couldn't find anything in the RPM scripts.
Thanks in advance,
They aren't created in the RPM scripts because they need to be unique on different systems (generating them in the RPM scripts would mean that things like rpm-ostree and gold VM images would all have the same certificates).
They're created when Cockpit starts up if they don't already exist. On Fedora, they're usually generated by sscg.
Is there a specific question you have about these certificates?
_______________________________________________
cockpit-devel mailing list -- cockpit-***@lists.fedorahosted.org
To unsubscribe send an email to cockpit-devel-***@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/cockpit-***@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fe
Lev Veyde
2021-05-20 14:10:13 UTC
Permalink
Hi Stephen,

Yes, we have some issue with the latest version of oVirt node-ng, with
users being unable to login into cockpit after the upgrade, and we're
trying to debug this issue:

https://lists.ovirt.org/archives/list/***@ovirt.org/thread/CJIP2KNXEADMRUK25743GSZ5UY7MDQUL/

The node-ng is based on CentOS 8 Stream.

Thanks in advance,
Post by Stephen Gallagher
Re-adding the original sender to the CC, since they are not subscribed.
Post by Stephen Gallagher
Post by Lev Veyde
Hi,
/etc/cockpit/ws-certs.d/0-self-signed-ca.pem
/etc/cockpit/ws-certs.d/0-self-signed.cert
I see that the directory is owned by the cockpit-ws package, but
couldn't find anything in the RPM scripts.
Post by Stephen Gallagher
Post by Lev Veyde
Thanks in advance,
They aren't created in the RPM scripts because they need to be unique on
different systems (generating them in the RPM scripts would mean that
things like rpm-ostree and gold VM images would all have the same
certificates).
Post by Stephen Gallagher
They're created when Cockpit starts up if they don't already exist. On
Fedora, they're usually generated by sscg.
Post by Stephen Gallagher
Is there a specific question you have about these certificates?
--
Lev Veyde

Senior Software Engineer, RHCE | RHCVA | MCITP

Red Hat Israel

<https://www.redhat.com>

***@redhat.com | ***@redhat.com
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
Martin Pitt
2021-05-21 05:34:56 UTC
Permalink
Hello Lev,
Post by Lev Veyde
Yes, we have some issue with the latest version of oVirt node-ng, with
users being unable to login into cockpit after the upgrade, and we're
This seems to be all about PAM and login, nowhere is it mentioned that users
had trouble getting past the initial connection TLS validation?

I.e. how is this related to certificates? Or did you perhaps link to a
different thread?

Thanks!

Martin
Post by Lev Veyde
Post by Lev Veyde
Hi,
/etc/cockpit/ws-certs.d/0-self-signed-ca.pem
/etc/cockpit/ws-certs.d/0-self-signed.cert
_______________________________________________
cockpit-devel mailing list -- cockpit-***@lists.fedorahosted.org
To unsubscribe send an email to cockpit-devel-***@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/cockpit-***@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagur

Loading...