Bug 1260560

Summary: https access to red hat repositories using debug certificate doesn't work
Product: Red Hat Satellite Reporter: Fred van Zwieten <fvzwieten>
Component: RepositoriesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Kedar Bidarkar <kbidarka>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1.1CC: bbuckingham, bkearney, cwelton, erinn.looneytriggs, john.sincock, kbidarka, mmccune, oshtaier, suprabhu
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 11:20:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
screenshot of issue in firefox none

Description Fred van Zwieten 2015-09-07 09:14:48 UTC 
Created attachment 1070872 [details]
screenshot of issue in firefox

Description of problem:
I can't get secure access to the re hat repositories using the https url as specified on the repository.

Version-Release number of selected component (if applicable):
6.1.1 GA
Firefox 4.0.3 on Fedora 22

How reproducible:


Steps to Reproduce:
1. Get Red Hat product and repositories into satellite 6.1 
2. Generate and download certificate
3. Import certificate into Firefox
4. Browse to repo's https url

Actual results:
403

Expected results:
A nice listing in my browser

Additional info:
In /var/log/http/foreman-ssl_access.log I get this:
172.16.1.1 - - [07/Sep/2015:10:54:40 +0200] "GET /pulp/repos/labs/Library/content/dist/rhel/server/7/7Server/x86_64/os HTTP/1.1" 403 270 "https://sat61.lab1.local/pulp/repos/labs/Library/content/dist/rhel/server/7/7Server/x86_64/os" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"

See screenshot to see what I got in firefox
Comment 3 Bryan Kearney 2015-09-24 12:54:14 UTC 
Can you please test this once 1259248 is being tested. I wonder if these are related to the same issue.
Comment 6 Brad Buckingham 2016-05-02 19:14:30 UTC 
Based on testing with Satellite 6.2 Beta Snap 9.x, this appears to have been solved.  I was able to 'download and generate' the debug certificate, import in to firefox and then browse RH repos.

I am going to move it ON_QA for verification.
Comment 7 Kedar Bidarkar 2016-05-23 19:13:28 UTC 
We still face this issue while accessing the link via the URL.

[Mon May 23 14:58:10.883739 2016] [ssl:warn] [pid 37172] [client x.x.x.x:48152] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'
[Mon May 23 14:58:11.474003 2016] [ssl:error] [pid 37172] [client x.x.x.x:48152] AH02261: Re-negotiation handshake failed: Not accepted by client!?
[Mon May 23 14:58:11.782800 2016] [ssl:warn] [pid 29840] [client x.x.x.x:48147] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'
[Mon May 23 14:58:12.370481 2016] [ssl:error] [pid 29840] [client x.x.x.x:48147] AH02261: Re-negotiation handshake failed: Not accepted by client!?

TESTED with sat62-snap12.1

a) downloaded the "debug cert"
b) Imported it to the browser
c) While accessing the link via the browser we see the above messages in the log,
/var/log/httpd/foreman-ssl_error_ssl.log
Comment 9 Kedar Bidarkar 2016-05-23 20:05:30 UTC 
Followed the below procedure to import the certs to FF and chrome.

Generating a Debug Certificate

1) From the GUI within Katello do the following:

a) Login as an administrator
b) Click the Administer -> Organizations link in the upper left
c) Find the Organization you imported your subscriptions and synced content ot
d) Click the "Debug certificate: [Generate and Download]" button. This would prompt for a download of a .pem file, save this locally. 

You will get the Private Key and Certificate returned to you in a format such as :

Key:  -----BEGIN RSA PRIVATE KEY-----
<<<<DER ENCODED TEXT>>>>
-----END RSA PRIVATE KEY-----

Cert: -----BEGIN CERTIFICATE-----
<<<<DER ENCODED TEXT>>>>
-----END CERTIFICATE-----

Using Firefox to browse content

If you wish to use the certificate to browse content via Firefox, do the following:

1)     Copy the output of the above command from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- inclusive to a file called key.pem

2) Copy the output of the above command from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive to a file called cert.pem

3) Run teh following command to create a pkcs12 file:
    openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in cert.pem -inkey key.pem -out [NAME].pfx -name [NAME]
    Provide a password when prompted.

4) Using the preferences tab, import the resulting [NAME].pfx file into your browser (Edit->Preferences->Advanced Tab -> View Certificates -> Import [Import under "your certificates"] )
Comment 10 Kedar Bidarkar 2016-05-23 20:07:40 UTC 
VERIFIED with sat62-snap12.1


We can now browse the content using the debug-cert and following the above procedure.
Comment 11 Bryan Kearney 2016-07-27 11:20:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501
Comment 13 John 2023-11-06 03:09:22 UTC 
Yet another shameful Red Hat disgrace.

WHAT IS THE POINT OF GIVING PEOPLE A .PEM FILE THAT CANNOT BE IMPORTED?

WHY FORCE USERS TO CONVERT THE .PEM TO A .PFX FILE??


JUST PROVIDE THE CERTIFICATE IN .PFX FORM FOR CHRISTS SAKE.
Comment 14 John 2023-11-06 03:13:44 UTC 
Every single thing Red Hat touches, they have to make as much of a pain in the ass as possible.