Bug 1210878

Summary: [RFE] Allow user to disable SSL verification for custom repositories hosted via SSL
Product: Red Hat Satellite Reporter: Rich Jerrido <rjerrido>
Component: RepositoriesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.8CC: bbuckingham, bkearney, cwelton, jsherril, mhrivnak, rjerrido, xdmoon
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 12:29:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rich Jerrido 2015-04-10 19:01:08 UTC 
Description of problem:
As a user, I have multiple yum repositories that I wish to use with Satellite 6. These repositories are internal to my organization, and are hosted via SSL via self-signed certificates. 

When synchronizing these repositories in Satellite 6, synchronization fails with

"[Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

Version-Release number of selected component (if applicable):
foreman-1.6.0.53-1.el6sat.noarch
foreman-compute-1.6.0.53-1.el6sat.noarch
foreman-discovery-image-6.5-20140620.2.el6sat.noarch
foreman-gce-1.6.0.53-1.el6sat.noarch
foreman-libvirt-1.6.0.53-1.el6sat.noarch
foreman-ovirt-1.6.0.53-1.el6sat.noarch
foreman-postgresql-1.6.0.53-1.el6sat.noarch
foreman-proxy-1.6.0.33-1.el6sat.noarch
foreman-selinux-1.6.0.14-1.el6sat.noarch
foreman-vmware-1.6.0.53-1.el6sat.noarch
katello-1.5.0-30.el6sat.noarch
katello-certs-tools-1.5.6-1.el6sat.noarch
katello-default-ca-1.0-1.noarch
katello-installer-0.0.67-1.el6sat.noarch
katello-server-ca-1.0-1.noarch
pulp-katello-0.3-4.el6sat.noarch
pulp-nodes-common-2.4.4-1.el6sat.noarch
pulp-nodes-parent-2.4.4-1.el6sat.noarch
pulp-puppet-plugins-2.4.4-1.el6sat.noarch
pulp-puppet-tools-2.4.4-1.el6sat.noarch
pulp-rpm-plugins-2.4.4-1.1.el6sat.noarch
pulp-selinux-2.4.4-1.el6sat.noarch
pulp-server-2.4.4-1.el6sat.noarch


How reproducible:
100%

Steps to Reproduce:
1. Create a custom product
2. Create a repository of type 'yum' associated with the custom product
3. Set the URL to https://foo.bar.com where https://foo.bar.com has a self-signed cert. 
4. Attempt to sync the repository. 

Actual results:

"[Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

Expected results:

The repository should be synchronized. 

Additional info:

This RFE requests the ability to disable SSL verification on a per-repository basis, with the appropriate options in hammer-cli and the API to do the same.
Comment 1 RHEL Program Management 2015-04-10 19:13:31 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Bryan Kearney 2015-10-01 14:55:59 UTC 
If I can find a way to put a self signed CA in the chain of trust, is that sufficient?
Comment 4 Bryan Kearney 2015-10-01 15:55:08 UTC 
Note, you can add the self signed CA to the OS CA store using update-ca-trust. This can be done w/o a pulp restart. Or you can use

http://pulp.readthedocs.org/en/latest/user-guide/installation.html?highlight=ca_path#signed-certificates

and restart pulp
Comment 5 Rich Jerrido 2015-10-02 11:38:41 UTC 
(In reply to Bryan Kearney from comment #3)
> If I can find a way to put a self signed CA in the chain of trust, is that
> sufficient?

In a strict sense, yes. However, I am not a fan of updating the operating systems CA store because:

* It assumes the user of Satellite is the 'root' user on the system running Satellite. (Many Satellites will be deployed in a multi-org configuration where this is not the case)

* It allows any other applications which use the OS' CA store to connect to any other website/service which is signed via the same CA (which may or may not be desirable)

* It is a workflow that I cannot drive via Satellite's UI (and the API & CLI). 

For these reasons I still favor having 'perform SSL Verification' as a property of the repository itself, allowing the user to toggle it on/off as per their needs.
Comment 7 Bryan Kearney 2016-01-15 13:06:04 UTC 
Michael: Should I add a version of this to an upstream pulp bug? Seems like I need it in pulp first, then katello to expose it.
Comment 8 Michael Hrivnak 2016-01-15 20:54:37 UTC 
Pulp already has both options. Per-repo, or even per-sync if you like, you can provide a CA cert to use for verification, or turn off SSL verification.

See the settings "ssl_ca_cert" and "ssl_verification"

http://pulp-rpm.readthedocs.org/en/2.6-release/tech-reference/yum-plugins.html#configuration-parameters

+1 to all of Rich's comments in #5.

I think this is ready for katello to expose in the UI.
Comment 9 Bryan Kearney 2016-08-04 20:11:15 UTC 
Moving 6.2 bugs out to sat-backlog.
Comment 11 Justin Sherrill 2017-10-12 13:38:14 UTC 
This is resolved upstream and will appear in satellite 6.3.0, re-aligning.  Feel free to correct any knob i pulled incorrectly :)
Comment 12 Peter Ondrejka 2017-12-06 15:21:02 UTC 
Verified in Sat 6.3 snap 27, verify ssl option has been added to repository options.
Comment 15 errata-xmlrpc 2018-02-21 12:29:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336