IPSca is a SSL certificate provider which provides zero cost Educational SSL Certificates, mainly for .edu sites. I tried them out for two different websites at work. The certificates work great, even with having to install a SSLCertificateChainFile entry in the httpd.conf file.
I later discovered a problem on CentOS systems talking to my Yum repository. The m2crypto package does not understand the contents of subjectAltName field. The SSL certificates one gets from IPSca have this:
openssl x509 -text -in repo.pirzyk.org.crt
...
X509v3 Subject Alternative Name:
email:repo-mail@pirzyk.org
...
When yum tries to talk to the repo, the m2crypto package generates this error:
...
M2Crypto.SSL.Checker.WrongHost: Peer certificate subjectAltName does not match host, expected repo.pirzyk.org, got email:repo-mail@pirzyk.org
If you connect to the repo using a Fedora Core system – I’ve tested with FC5, 6, 8, 9 and 10 – it works fine. Delving further into the problem, CentOS and RHEL use m2crypto for SSL validation whereas Fedora does not.
One solution to this problem was to fix m2crypto. Looking at the source code where the error happens:
# subjectAltName=DNS:somehost[, ...]*
try:
subjectAltName = peerCert.get_ext('subjectAltName').get_value()
if not self._splitSubjectAltName(self.host, subjectAltName):
raise WrongHost(expectedHost=self.host,
actualHost=subjectAltName,
fieldName='subjectAltName')
hostValidationPassed = True
The comments lead me to believe that the code should be looking for this:
X509v3 Subject Alternative Name:
DNS:repo.pirzyk.org
But I do not see any python code looking for the string ‘DNS:’. Since I am not a python developer, I decided to look for a different solution.
I thought re-implementing the Fedora Core solution might make a bit more sense. I investigated what it would take to remove m2crypt0 from the yum tool chain. I started with looking into the version of python-urlgrabber, which is what on CentOS requires m2crypto. The version on CentOS is actually a newer version than what comes with Fedora 10. I grabbed the Fedora source RPM and built it for CentOS. When I tried to install it, the yum rpm complained about the downgrade, so I grabbed the newer yum source rpm from FC10 and did the same thing. Then I needed to build the pygpgme package which did not exist on CentOS. Once I had all three packages installed, I was able to successfully connect to my yum repository.
I’m not sure this is the best long term solution, since you have a boot strapping issue. I’ve stored these yum, python-urlgrabber and pygmgme packages on the repository that yum has problems connecting to.
The bug has been reported to RedHat and CentOS. We shall see if they say it is a valid SSL certificate and an error in m2crypto or an invalid SSL certificate. Either way, I would think that m2crypto should at least fail gracefully. The BugIDs are:
3 comments for “IPSca and CentOS”