search for: cafil

On Wed, Sep 19, 2018 at 7:24 PM Richard W.M. Jones <rjones@redhat.com> wrote: > For real imageio servers the destination will always be https. This > change has no effect there. > > However when testing we want to use an http server for simplicity. As > there is no cafile in this case the call to > ssl.create_default_context().load_verify_locations(cafile=...) will fail. > --- > v2v/rhv-upload-plugin.py | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/v2v/rhv-upload-plugin.py b/v2v/rhv-upload-plugin.py > index 5c...

...there. I have tried this configuaration for roundcube: $config['imap_conn_options'] = array( 'ssl' => array( 'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>', 'verify_peer' => true, 'verify_depth' => 3, // 'cafile' => '/dont/need/to/set/this/option', ), ); and this one: $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); and this one too: $config['imap_conn_op...

If I were guessing, based on some experience with certificate usage in other apps, concatenate your certificate and intermediate certificates into a single file which is then your "tls certfile" then point "tls cafile" to your issuers proper CA or just to your distro's CA bundle, e.g /etc/pki/tls/certs/ca-bundle.crt. Nick On 06/08/2020 16:36, MAS Jean-Louis via samba wrote: > Nobody has any clues about the tls cafile ? > > Regards > > Le 04/08/2020 ? 15:18, MAS Jean-Louis via samba a...

Fix rhv-cafile option access, broken by commit 6694028f9827 (v2v: -o rhv-upload: Only set SSL context for https connections). --- .gnulib | 2 +- v2v/rhv-upload-plugin.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gnulib b/.gnulib index 6ccfbb4ce..646a44e1b 160000 -...

It makes little sense to require the oVirt certificate, especially when the verification of the connection (-oo rhv-verifypeer) is disabled by default. The only work done with the certificate in that case is checking that it is a valid certificate file. Hence, make -oo rhv-cafile optional, requiring it only when -oo rhv-verifypeer is enabled. --- v2v/output_rhv_upload.ml | 16 +++++++++------- v2v/virt-v2v-output-rhv.pod | 2 ++ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml index 24a289169..d0850282...

On Wed, Jan 15, 2020 at 3:01 PM Richard W.M. Jones <rjones@redhat.com> wrote: > This is actually not required, because ovirtsdk4 will use the system's > global trust store if necessary. Therefore we can make it optional in > all cases. > The only way to avoid the cafile is to set insecure=True both when creating sdk connection and when connecting to imageio. Otherwise the system trust store must include the CA used when creating engine and vdsm certificates. In development setup this is never true, in production It may work if you are lucky. Nir --- > docs...

On Thu, August 6, 2020 11:36, MAS Jean-Louis wrote: > Nobody has any clues about the tls cafile ? > > Regards > > Le 04/08/2020 ?? 15:18, MAS Jean-Louis via samba a ??crit??: >> I have several samba servers on Debian 10 all using : >> >> samba 2:4.9.5+dfsg-5+deb10u1 amd64 >> >> I use tls cafile, tls certfile and tls keyfile with certificates...

...06/08/2020 ? 17:43, Nick Howitt via samba a ?crit?: > If I were guessing, based on some experience with certificate usage in > other apps, concatenate your certificate and intermediate certificates > into a single file which is then your "tls certfile" then point "tls > cafile" to your issuers proper CA or just to your distro's CA bundle, > e.g /etc/pki/tls/certs/ca-bundle.crt. You're right, on Samba, it works that way # smb.conf extract tls cafile = /etc/ssl/certs/Comodo_AAA_Services_root.pem tls certfile = /etc/ssl/certs/ad-rep2.example.com-certonly+...

...r, OpenLDAP and AD started to use different certificate chains, so I need to tell Samba to use different root CA cert when talking to AD DC. In ldap.conf I have tls_reqcert demand tls_cacert /usr/share/ca-certificates/ca-openldap.crt In smb.conf I'm trying to add this line to [global]: tls cafile = /etc/samba/tls/ca-ad.pem testparm shows that Samba sees this line: Server role: ROLE_DOMAIN_MEMBER ldap ssl = start tls ldap ssl ads = Yes tls cafile = /etc/samba/tls/ca-ad.pem However, it doesn't seem to have any effect. Samba still tries to communicate with AD using ca-openldap.crt Wh...

...0.3.0? * checking CRAN incoming feasibility ...* Trying 172.23.0.30... * TCP_NODELAY set * Connected to (nil) (172.23.0.30) port 8080 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@ STRENGTH * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol * Curl_http_done: called premature == 0 * Closing connection 0 * Trying 172.23.0.30... * TCP_NODELAY set * Connected to (nil) (172.23.0.30) port 8080 (#0) * ALPN, offering http/1.1 * Cipher sele...

...100644 --- a/v2v/output_rhv_upload.ml +++ b/v2v/output_rhv_upload.ml @@ -81,8 +81,6 @@ let parse_output_options options = let rhv_direct = !rhv_direct in let rhv_verifypeer = !rhv_verifypeer in let rhv_disk_uuids = Option.map List.rev !rhv_disk_uuids in - if rhv_verifypeer && rhv_cafile = None then - error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the path to the oVirt or RHV user’s ‘ca.pem’ file"); { rhv_cafile; rhv_cluster; rhv_direct; rhv_verifypeer; rhv_disk_uuids } -- 2.24.1

Hi people, i have a problem with trying ldaps i use autogenerated self-signed certificate, i write in smb this: tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem without cafile when i try to verify with: openssl verify /usr/local/samba/private/tls/myCert.pem it said me unable to verify the first certificate and if add -CApath works! and finally when i try from another dc with openssl s_client -showcerts -connect dc1.samdom.example.com:636 it said me unable to verify t...

Nobody has any clues about the tls cafile ? Regards Le 04/08/2020 ? 15:18, MAS Jean-Louis via samba a ?crit?: > I have several samba servers on Debian 10 all using : > > samba 2:4.9.5+dfsg-5+deb10u1 amd64 > > I use tls cafile, tls certfile and tls keyfile with certificates from > Sectigo (https://cert-manage...

This adds a test of -o rhv-upload. Obviously for an upstream test we cannot require a working oVirt server. This test works by faking the ovirtsdk4 Python module, setting PYTHONPATH so that the fake module is picked up instead of the real module (if installed). However it's more complex than that because the nbdkit plugin also expects to talk to a working imageio HTTPS server. Therefore

I have several samba servers on Debian 10 all using : samba 2:4.9.5+dfsg-5+deb10u1 amd64 I use tls cafile, tls certfile and tls keyfile with certificates from Sectigo (https://cert-manager.com) And when checking my connexion from the samba server, or from outside, I've got "unable to verify the first certificate" even if tls_cafile is provided in smb.conf. What is wrong ? # checking m...

...certificate. > > With regards to Roundcube, see this in config/defaults.inc.php: > > //$config['imap_conn_options'] = array( > // 'ssl' => array( > // 'verify_peer' => true, > // 'verify_depth' => 3, > // 'cafile' => '/etc/openssl/certs/ca.crt', > // ), > // ); > >

On Fri, Dec 7, 2018, 10:34 Richard W.M. Jones <rjones@redhat.com wrote: > On Fri, Dec 07, 2018 at 02:44:21AM +0200, Nir Soffer wrote: > > Fix rhv-cafile option access, broken by commit 6694028f9827 (v2v: -o > > rhv-upload: Only set SSL context for https connections). > > Ugh yes indeed. Strong typing FTW _again_ "pylint -E" may detect such issues. ... > > Will apply shortly, thanks. > > Rich. > > > ....

For real imageio servers the destination will always be https. This change has no effect there. However when testing we want to use an http server for simplicity. As there is no cafile in this case the call to ssl.create_default_context().load_verify_locations(cafile=...) will fail. --- v2v/rhv-upload-plugin.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/v2v/rhv-upload-plugin.py b/v2v/rhv-upload-plugin.py index 5cd6d5cab..6e35b5057 100644 --- a/v2...

For real imageio servers the destination will always be https. This change has no effect there. However when testing we want to use an http server for simplicity. As there is no certificate or cafile in this case the call to create the context will fail. This also simplifies creation of the context object and recognizes the "insecure" flag for connecting to imageio. Thanks: Nir Soffer. --- v2v/rhv-upload-plugin.py | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+),...

On Fri, Dec 07, 2018 at 02:44:21AM +0200, Nir Soffer wrote: > Fix rhv-cafile option access, broken by commit 6694028f9827 (v2v: -o > rhv-upload: Only set SSL context for https connections). Ugh yes indeed. Strong typing FTW _again_ ... Will apply shortly, thanks. Rich. > .gnulib | 2 +- > v2v/rhv-upload-plugin.py | 2 +- > 2 files changed...