| Summary: | Unprotected custom repos shouldn't be requiring consumer certs | ||
|---|---|---|---|
| Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Kedar Bidarkar <kbidarka> |
| Component: | Tools | Assignee: | Jay Dobies <jason.dobies> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | wes hayutin <whayutin> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.0 | CC: | kbidarka, sghai, tsanders |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-31 12:50:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
When the comments are removed in the repo file rh-cloud.repo , it works. Kedar - Can you try it with the following: sslverify=1 sslcacert=/etc/pki/entitlement/ca.crt #sslclientkey=/etc/pki/entitlement/key.pem #sslclientcert=/etc/pki/entitlement/product/content.crt Here's my thinking... What I'm guessing is happening is that since sslverify is commented out, it's defaulting to true. But since the CA certificate is commented out, it's unable to verify the server's SSL certificate since it wasn't signed by one of the standard CAs. That's what the message "Peer cert cannot be verified or peer cert invalid" refers to. That _should_ work. I'll start on modifying RHUI Manager to use these settings for unprotected repos while you confirm the above works. commit 5cd6fce4cbc5f9d7b2e5420859f210dfc88eae34
Author: Jay Dobies <jason.dobies>
Date: Thu Jun 16 15:34:27 2011 -0400
711754 - The repo definitions for unprotected repos were incorrectly
including certificates, so moved that stuff out of the template file and
add it in the replacement step
rhui-2.0/tools/etc/rhui/templates/client-repo-template.repo
rhui-2.0/tools/src/rhui/rpm/client.py
Yes, It works when sslclientkey and sslclientcert comment and when sslverify=1, sslcacert remain uncommented. [root@rhuiu-client1 yum.repos.d]# yum clean all Cleaning up Everything [root@rhuiu-client1 yum.repos.d]# yum install qpid-cpp-server epel/metalink | 12 kB 00:00 epel | 4.3 kB 00:00 epel/primary_db | 3.8 MB 00:13 repo_id-1 | 2.6 kB 00:00 repo_id-1/primary_db | 6.1 kB 00:00 rhel-pulp | 1.3 kB 00:00 rhel-pulp/primary | 4.3 kB 00:00 rhel-pulp 12/12 rhel-server-6-releases | 3.4 kB 00:00 rhel-server-6-releases/primary_db | 2.9 MB 00:00 Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package qpid-cpp-server.x86_64 0:0.10-3.el6 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================================================= Package Arch Version Repository Size ================================================================================================================================================================================= Installing: qpid-cpp-server x86_64 0.10-3.el6 repo_id-1 930 k Transaction Summary ================================================================================================================================================================================= Install 1 Package(s) Upgrade 0 Package(s) Total download size: 930 k Installed size: 3.2 M Is this ok [y/N]: y Downloading Packages: qpid-cpp-server-0.10-3.el6.x86_64.rpm | 930 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : qpid-cpp-server-0.10-3.el6.x86_64 1/1 Installed: qpid-cpp-server.x86_64 0:0.10-3.el6 Complete! [root@rhuiu-client1 yum.repos.d]# cat rh-cloud.repo [rhel-server-6-releases] name=Red Hat Enterprise Linux Server 6 Releases (RPMs) mirrorlist=file:///etc/yum.repos.d/rh-rhel-server-6-releases.mirror enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify=1 sslclientkey=/etc/pki/entitlement/key.pem sslclientcert=/etc/pki/entitlement/product/content.crt sslcacert=/etc/pki/entitlement/ca.crt [repo_id-1] name=Qpid mirrorlist=file:///etc/yum.repos.d/rh-repo_id-1.mirror enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify=1 #sslclientkey=/etc/pki/entitlement/key.pem #sslclientcert=/etc/pki/entitlement/product/content.crt sslcacert=/etc/pki/entitlement/ca.crt Fixed in RHUI 2.0.31. From client end. [root@domU-12-31-39-07-72-01 yum.repos.d]# cat rh-cloud.repo | grep -A 10 -i repoid-1 [rhui-repoid-1] name=Qpid mirrorlist=https://ip-10-86-250-248/pulp/mirror/baseos/x86_64/qpid/os enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify=1 sslcacert=/etc/pki/entitlement/ca.crt From the Pulp-server end, [root@ip-10-122-70-115 noarch]# pulp-admin -u admin -p admin repo list | grep -A 17 -i "repoid-1" Id repoid-1 Name Qpid Feed URL None Feed Type None Feed Certs CA:No Cert:No Consumer Certs CA:No Cert:No Architecture noarch Sync Schedule None Packages 8 Files 0 Distributions None Publish True Clones [] Groups [u'custom'] Filters [] Notes None moving to release pending closing out, product released |
Description of problem: [root@dhcp201-149 content]# pulp-admin -u admin -p admin repo list +------------------------------------------+ List of Available Repositories +------------------------------------------+ Id repo_id-1 Name Qpid Feed URL None Feed Type None Feed Certs CA:No Cert:No Key:No Consumer Certs CA:No Cert:No Key:No Architecture noarch Sync Schedule None Packages 4 Files 0 Distributions None Publish True Clones [] Groups [u'custom'] Filters [] Notes None [root@dhcp201-178 yum.repos.d]# yum install qpid-cpp-server https://dhcp201-196.englab.pnq.redhat.com/rhuilb/pulp/repos/baseos/x86_64/qpid/os/repodata/repomd.xml: [Errno 14] Peer cert cannot be verified or peer cert invalid Trying other mirror. https://dhcp201-101.englab.pnq.redhat.com/rhuilb/pulp/repos/baseos/x86_64/qpid/os/repodata/repomd.xml: [Errno 14] Peer cert cannot be verified or peer cert invalid Trying other mirror. Error: Cannot retrieve repository metadata (repomd.xml) for repository: repo_id-1. Please verify its path and try again [root@dhcp201-178 yum.repos.d]# cat /etc/yum.repos.d/rh-cloud.repo [rhel-server-6-releases] name=Red Hat Enterprise Linux Server 6 Releases (RPMs) mirrorlist=file:///etc/yum.repos.d/rh-rhel-server-6-releases.mirror enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify=1 sslclientkey=/etc/pki/entitlement/key.pem sslclientcert=/etc/pki/entitlement/product/content.crt sslcacert=/etc/pki/entitlement/ca.crt [repo_id-1] name=Qpid mirrorlist=file:///etc/yum.repos.d/rh-repo_id-1.mirror enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release #sslverify=1 #sslclientkey=/etc/pki/entitlement/key.pem #sslclientcert=/etc/pki/entitlement/product/content.crt #sslcacert=/etc/pki/entitlement/ca.crt Version-Release number of selected component (if applicable): rh-rhui-tools 2.0.26 How reproducible: when creating client-config rpms for unprotected repos, the unprotected repos still depend on the consumer certs. Steps to Reproduce: 1. 2. 3. Actual results: Unprotected Custom repos, which require no consumer certs , actually are dependent on the certs. Expected results: Unprotected repos, shouldn't depend on the consumer certs Additional info: