Bug 1210878
Summary: | [RFE] Allow user to disable SSL verification for custom repositories hosted via SSL | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Rich Jerrido <rjerrido> |
Component: | Repositories | Assignee: | satellite6-bugs <satellite6-bugs> |
Status: | CLOSED ERRATA | QA Contact: | Peter Ondrejka <pondrejk> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.0.8 | CC: | bbuckingham, bkearney, cwelton, jsherril, mhrivnak, rjerrido, xdmoon |
Target Milestone: | Unspecified | Keywords: | FutureFeature, Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-02-21 12:29:34 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rich Jerrido
2015-04-10 19:01:08 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. If I can find a way to put a self signed CA in the chain of trust, is that sufficient? Note, you can add the self signed CA to the OS CA store using update-ca-trust. This can be done w/o a pulp restart. Or you can use http://pulp.readthedocs.org/en/latest/user-guide/installation.html?highlight=ca_path#signed-certificates and restart pulp (In reply to Bryan Kearney from comment #3) > If I can find a way to put a self signed CA in the chain of trust, is that > sufficient? In a strict sense, yes. However, I am not a fan of updating the operating systems CA store because: * It assumes the user of Satellite is the 'root' user on the system running Satellite. (Many Satellites will be deployed in a multi-org configuration where this is not the case) * It allows any other applications which use the OS' CA store to connect to any other website/service which is signed via the same CA (which may or may not be desirable) * It is a workflow that I cannot drive via Satellite's UI (and the API & CLI). For these reasons I still favor having 'perform SSL Verification' as a property of the repository itself, allowing the user to toggle it on/off as per their needs. Michael: Should I add a version of this to an upstream pulp bug? Seems like I need it in pulp first, then katello to expose it. Pulp already has both options. Per-repo, or even per-sync if you like, you can provide a CA cert to use for verification, or turn off SSL verification. See the settings "ssl_ca_cert" and "ssl_verification" http://pulp-rpm.readthedocs.org/en/2.6-release/tech-reference/yum-plugins.html#configuration-parameters +1 to all of Rich's comments in #5. I think this is ready for katello to expose in the UI. Moving 6.2 bugs out to sat-backlog. This is resolved upstream and will appear in satellite 6.3.0, re-aligning. Feel free to correct any knob i pulled incorrectly :) Verified in Sat 6.3 snap 27, verify ssl option has been added to repository options. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336 |