Adding TLS certs
135 views
Skip to first unread message
Jeff Harnois
Oct 7, 2021, 9:29:47 AM10/7/21
to kiwi
Hi,
We have been running into an issue when adding one of our repos over TLS. When we add it, we have been receiving this error:
12:29:36 Error code: Curl error 60
12:29:36 Error message: SSL certificate problem: self signed certificate in certificate chain
We have the cert and need to add it to the list of trusted certs and make a call to 'update-ca-certificates'. However, we are unsure where to do this. We have tried adding a few things from the documentation such as a 'post_bootstrap.sh' script but it doesn't seem like it worked. We have also tried to add a 'customize' tag to config.xml file when adding our repo but that didn't work either.
Any advice on where to put these calls?
Thanks,
Jeff
Marcus Schäfer
Oct 7, 2021, 10:43:31 AM10/7/21
to kiwi-...@googlegroups.com
1. Make sure the full set of ca-certificates are installed
in the bootstrap phase
<packages type="bootstrap">
...
<package name="ca-certificates"/>
<package name="ca-certificates-mozilla"/>
</packages>
That should fix the "Curl error 60"
2. If your repo has a signing key and it should be effective you
need to download the keyfile and pass along this information
to the kiwi call via:
kiwi-ng system build ... --signing-key file
Hope that helps
Regards,
Marcus
--
Public Key available via: https://keybase.io/marcus_schaefer/key.asc
keybase search marcus_schaefer
-------------------------------------------------------
Marcus Schäfer (Res. & Dev.) SUSE Software Solutions Germany GmbH
Tel: 0911-740 53 0 Maxfeldstrasse 5
FAX: 0911-740 53 479 D-90409 Nürnberg
HRB: 21284 (AG Nürnberg) Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton
http://www.suse.de
-------------------------------------------------------
Vladimir Nadvornik
Oct 7, 2021, 11:18:52 AM10/7/21
to kiwi-...@googlegroups.com
On 10/7/21 4:43 PM, 'Marcus Schäfer' via kiwi wrote:
> Hi,
>
>> We have been running into an issue when adding one of our repos over
>> TLS. When we add it, we have been receiving this error:
>>
>> 12:29:36 Error code: Curl error 60
>>
>> 12:29:36 Error message: SSL certificate problem: self signed
>> certificate in certificate chain
>>
>> We have the cert and need to add it to the list of trusted certs and
>> make a call to 'update-ca-certificates'. However, we are unsure where
>> to do this. We have tried adding a few things from the documentation
>> such as a 'post_bootstrap.sh' script but it doesn't seem like it
>> worked. We have also tried to add a 'customize' tag to config.xml file
>> when adding our repo but that didn't work either.
>>
>> Any advice on where to put these calls?
>
> I had these issues as well. What I do usually is this:
>
> 1. Make sure the full set of ca-certificates are installed
> in the bootstrap phase
>
> <packages type="bootstrap">
> ...
> <package name="ca-certificates"/>
> <package name="ca-certificates-mozilla"/>
> </packages>
>
> That should fix the "Curl error 60"
>
For custom certificate you can create rpm package similar to
> Hi,
>
>> We have been running into an issue when adding one of our repos over
>> TLS. When we add it, we have been receiving this error:
>>
>> 12:29:36 Error code: Curl error 60
>>
>> 12:29:36 Error message: SSL certificate problem: self signed
>> certificate in certificate chain
>>
>> We have the cert and need to add it to the list of trusted certs and
>> make a call to 'update-ca-certificates'. However, we are unsure where
>> to do this. We have tried adding a few things from the documentation
>> such as a 'post_bootstrap.sh' script but it doesn't seem like it
>> worked. We have also tried to add a 'customize' tag to config.xml file
>> when adding our repo but that didn't work either.
>>
>> Any advice on where to put these calls?
>
> I had these issues as well. What I do usually is this:
>
> 1. Make sure the full set of ca-certificates are installed
> in the bootstrap phase
>
> <packages type="bootstrap">
> ...
> <package name="ca-certificates"/>
> <package name="ca-certificates-mozilla"/>
> </packages>
>
> That should fix the "Curl error 60"
>
"ca-certificates-mozilla" and add it to bootstrap section.
The package has to require "ca-certificates" and call
"update-ca-certificates" in post-install.
Vladimir
Reply all
Reply to author
Forward
0 new messages