Bug 727564
| Summary: | CDS sync fails if global repo auth certs exist on pulp-server | ||
|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | John Matthews <jmatthew> |
| Component: | nodes | Assignee: | Jeff Ortel <jortel> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Preethi Thomas <pthomas> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | skarmark |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | Sprint 27 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-24 20:12:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Updated to send ca/cert bundle contents instead of file paths. build: 0.228 verified
[root@pulp-f15 ~]# rpm -q pulp
pulp-0.0.228-1.fc15.noarch
[root@pulp-f15 ~]#
[root@pulp-f15 ~]# pulp-admin auth enable_global_repo_auth --ca=/root/certs/ca1.crt --cert=/root/certs/pulp-f14.crt --key=/root/certs/ca1.key
Global repository authentication enabled
[root@pulp-f15 ~]# pulp-admin cds sync --hostname=pulp-cds.usersys.redhat.com
Sync for CDS [pulp-cds.usersys.redhat.com] started
Use "cds status" to check on the progress
[root@pulp-f15 ~]# pulp-admin cds status --hostname=pulp-cds.usersys.redhat.com
+------------------------------------------+
CDS Status
+------------------------------------------+
Name pulp-cds.usersys.redhat.com
Hostname pulp-cds.usersys.redhat.com
Description None
Cluster None
Sync Schedule None
Repos None
Last Sync 2011-08-30 15:24:36-04:00
Status:
Responding Yes
Last Heartbeat 2011-08-30 19:24:33.996168+00:00
+------------------------------------------+
Most Recent Sync Tasks
+------------------------------------------+
State Finished
Start Time 2011-08-30 15:24:36-04:00
Finish Time 2011-08-30 15:24:36-04:00
[root@pulp-f15 ~]# pulp-admin auth disable_global_repo_auth
Global repository authentication disabled
[root@pulp-f15 ~]# pulp-admin cds sync --hostname=pulp-cds.usersys.redhat.com
Sync for CDS [pulp-cds.usersys.redhat.com] started
Use "cds status" to check on the progress
[root@pulp-f15 ~]# pulp-admin cds status --hostname=pulp-cds.usersys.redhat.com
+------------------------------------------+
CDS Status
+------------------------------------------+
Name pulp-cds.usersys.redhat.com
Hostname pulp-cds.usersys.redhat.com
Description None
Cluster None
Sync Schedule None
Repos None
Last Sync 2011-08-30 15:26:17-04:00
Status:
Responding Yes
Last Heartbeat 2011-08-30 19:26:24.309619+00:00
+------------------------------------------+
Most Recent Sync Tasks
+------------------------------------------+
State Finished
Start Time 2011-08-30 15:26:17-04:00
Finish Time 2011-08-30 15:26:17-04:00
[root@pulp-f15 ~]#
Pulp v1.0 is released Closed Current Release. |
Description of problem: I was unable to perform a successful CDS sync when I had existing global repo auth certs on my pulp-server. The CDS would attempt to sync using bad global repo certs and sync would fail. When I looked at the certs used on CDS side I saw the content of the cert was bad. Content of the cert was it's filename. So '/etc/pki/content/pulp-global-repo.cert' had content of '/etc/pki/content/pulp-global-repo.cert' and not expected cert data. It looked like the pulp-server was sending out the global_cert_bundle with the filename and not the contents of the cert. Pulp-server had global repo certs in key/cert format: /etc/pki/content/BACKUP/pulp-global-repo.{ca,key.cert} Note: These were older certs from a few months ago. Pulp-server was sending below on sync call: gofer.messaging.policy:INFO: policy:116 sent (cds-pulp-cds): { "classname": "cdsplugin", "kws": {}, "args": [ { "repos": [ { "name": "jwm_test", "publish": true, "relative_path": "repo_resync", "source": { "url": "http://jmatthews.fedorapeople.org/repo_resync/", "type": "remote" }, "_id": "jwm_test", "arch": "noarch", "id": "jwm_test" } ], "repo_base_url": "https://jwm-devel.home//pulp/repos", "repo_cert_bundles": { "jwm_test": null }, "cluster_id": null, "cluster_members": null, "server_ca_cert": null, "global_cert_bundle": { "ca": "/etc/pki/content/pulp-global-repo.ca", "cert": "/etc/pki/content/pulp-global-repo.cert" } } ], "method": "sync" } I removed the global repo auth certs on pulp-server, and CDS syncs worked. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. On pulp-server create cert for /etc/pki/content/pulp-global-repo.cert 2. On pulp-server create ca for /etc/pki/content/pulp-global-repo.ca 3. On pulp-server disable global repo auth 4. Initiate a CDS sync Actual results: Observe CDS sync fails, further on CDS side the contents of: /etc/pki/content/pulp-global-repo.cert is incorrect, it is the filename and not actual SSL cert data. Expected results: CDS sync succeeds. Additional info: My setup with global repo auth was old, prior to when we moved from key/cert to just a cert. Possibly what I am seeing is a result of working with an old setup?