Learn more about these different git repos.
Other Git URLs
sudo update-crypto-policies --set FUTURE
$ wget https://download.copr.fedorainfracloud.org/results/praiskup/ping/epel-7-x86_64/04554804-dummy-pkg/dummy-pkg-20220622_1500-1.el7.x86_64.rpm --2022-07-18 07:28:31-- https://download.copr.fedorainfracloud.org/results/praiskup/ping/epel-7-x86_64/04554804-dummy-pkg/dummy-pkg-20220622_1500-1.el7.x86_64.rpm Resolving download.copr.fedorainfracloud.org (download.copr.fedorainfracloud.org)... 65.9.95.102, 65.9.95.17, 65.9.95.22, ... Connecting to download.copr.fedorainfracloud.org (download.copr.fedorainfracloud.org)|65.9.95.102|:443... connected. ERROR: The certificate of ‘download.copr.fedorainfracloud.org’ is not trusted. ERROR: The certificate of ‘download.copr.fedorainfracloud.org’ was signed using an insecure algorithm.
Similarly, the non-CDN URLs have issues:
$ curl https://copr-be.cloud.fedoraproject.org/results/ curl: (60) SSL certificate problem: EE certificate key too weak More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
https://pagure.io/fedora-infrastructure/issue/10881
Can the use of another certification authority solve the problem? For example, Buypass Go SSL uses fairly strong intermediate certificates: copr.fedorainfracloud.org (ECDSA) → Buypass Class 2 CA 5 (RSA 4096) → Buypass Class 2 Root CA (RSA 4096)
Not sure. Can we have fully-automate renewals of the certificates? Can we have the certificates for free there?
There are two things; most of our infrastructure uses Let's Encrypt, but we also use AWS CloudFront (https://download.copr.fedorainfracloud.org/) where we AFAIK can not affect the CA?
Yes. Buypass Go SSL - free TLS certificate, based on ACME.
I think it's worth solving the first part of the problem first, and then, if that doesn't help, we'll solve the issue with Amazon CloudFront.
CloudFront is much more important for the users, actually. That's where our users download RPMs from. The other stuff is "just" web-UI/API, etc.
The Let's Encrypt automation was pretty hard to do right in the ansible.git, it might be easier for us to just sit and wait till Let's Encrypt provides the right keys (or adjust our current config, if needed for the next gen keys).
Would you be able to help us with fixing the automation (implementing Buypass)? See this role we are currently using (for lighttpd and apache): https://pagure.io/fedora-infra/ansible/blob/main/f/roles/copr/certbot
This issue has been migrated to GitHub: https://github.com/fedora-copr/copr/issues/2250
Metadata Update from @nikromen: - Issue close_status updated to: MIGRATED - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.