Bug 696347

Summary: Cannot use grinder or yum to sync Pulp protected repos (if httpd is configured with new certs)
Product: [Retired] Pulp Reporter: Jay Dobies <jason.dobies>
Component: z_otherAssignee: John Matthews <jmatthew>
Status: CLOSED NOTABUG QA Contact: Preethi Thomas <pthomas>
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bloch, jmatthew, kchamart, tsanders
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-20 13:31:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 688298    

Description Jay Dobies 2011-04-13 21:13:55 UTC 
Setup:
- Created my own CA and entitlement cert.
- Created my own SSL certificate for my server and changed apache to use it in ssl.conf.
- Configured a repo as being protected by pulp.
- Try to sync the repo using the auth credentials. It fails for both yum and grinder.
- I can wget the repomd.xml correctly.

I suspect this is an issue on how we have httpd configured. This sort of setup works in RHUI 1.2 where we replace ssl.conf with our own file. In Pulp, we're trying to leave that one in place and define our stuff inside of it (in pulp.conf). 


root@venom rhui-1.2-5Server-i386]# grinder yum --label foo -U https://guardian//pulp/repos/content/dist/rhel/rhui/server/5Server/i386/rhui/1.2/os --cacert consumer-rhui-1.2-5Server-i386.ca --cert consumer-rhui-1.2-5Server-i386.cert --key consumer-rhui-1.2-5Server-i386.key 
grinder.RepoFetch: INFO     fetchYumRepo() basepath = ./
grinder.RepoFetch: INFO     Fetching repo metadata...
grinder.RepoFetch: ERROR    Caught exception when trying to fetch content from [https://guardian//pulp/repos/content/dist/rhel/rhui/server/5Server/i386/rhui/1.2/os]: Cannot retrieve repository metadata (repomd.xml) for repository: foo. Please verify its path and try again
Traceback (most recent call last):
  File "/usr/bin/grinder", line 23, in <module>
    GrinderCLI.CLI().main()
  File "/usr/lib/python2.7/site-packages/grinder/GrinderCLI.py", line 349, in main
    cmd.main()
  File "/usr/lib/python2.7/site-packages/grinder/GrinderCLI.py", line 60, in main
    self._do_command()
  File "/usr/lib/python2.7/site-packages/grinder/GrinderCLI.py", line 272, in _do_command
    self.yfetch.fetchYumRepo()
  File "/usr/lib/python2.7/site-packages/grinder/RepoFetch.py", line 362, in fetchYumRepo
    self.yumFetch.getRepoData()
  File "/usr/lib/python2.7/site-packages/grinder/RepoFetch.py", line 140, in getRepoData
    for ftype in self.getRepoXmlFileTypes():
  File "/usr/lib/python2.7/site-packages/grinder/RepoFetch.py", line 125, in getRepoXmlFileTypes
    return self.repo.repoXML.fileTypes()
  File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 1413, in <lambda>
    repoXML = property(fget=lambda self: self._getRepoXML(),
  File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 1409, in _getRepoXML
    raise Errors.RepoError, msg
yum.Errors.RepoError: Cannot retrieve repository metadata (repomd.xml) for repository: foo. Please verify its path and try again


[root@venom rhui-1.2-5Server-i386]# wget https://guardian//pulp/repos/content/dist/rhel/rhui/server/5Server/i386/rhui/1.2/os/repodata/repomd.xml --certificate consumer-rhui-1.2-5Server-i386.cert --private-key consumer-rhui-1.2-5Server-i386.key --ca-certificate consumer-rhui-1.2-5Server-i386.ca 
--2011-04-13 16:58:38--  https://guardian//pulp/repos/content/dist/rhel/rhui/server/5Server/i386/rhui/1.2/os/repodata/repomd.xml
Resolving guardian... 192.168.0.201
Connecting to guardian|192.168.0.201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1610 (1.6K) [text/plain]
Saving to: “repomd.xml”

100%[==============================================================>] 1,610       --.-K/s   in 0s      

2011-04-13 16:58:38 (29.2 MB/s) - “repomd.xml” saved [1610/1610]


[root@venom rhui-1.2-5Server-i386]# yum repolist
Loaded plugins: langpacks, presto, refresh-packagekit
Adding en_US to language list
https://guardian//pulp/repos/content/dist/rhel/rhui/server/5Server/i386/rhui/1.2/os/repodata/repomd.xml: [Errno 14] problem making ssl connection
Comment 1 Jay Dobies 2011-04-15 12:10:59 UTC 
It turns out there was something wrong with my cert. We're not 100% sure yet of what happened, but it has to do with signing multiple certs from the same CA with the same serial number. Someone in the process is caching this information (yum or httpd) and wasn't allowing the second (different) cert with the same serial number. The fix is to correctly generate certs, maintaining unique serial numbers for a given CA.