Bug 769888
Summary: | Changes that needs to be done to integrate Katello generated certificates | ||
---|---|---|---|
Product: | [Retired] Pulp | Reporter: | Lukas Zapletal <lzap> |
Component: | rel-eng | Assignee: | Jeff Ortel <jortel> |
Status: | CLOSED NOTABUG | QA Contact: | Preethi Thomas <pthomas> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 1.1.0 | CC: | jslagle, skarmark, tsanders |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-04-02 12:19:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Zapletal
2011-12-22 16:05:34 UTC
I believe this issue is relevant: https://bugzilla.redhat.com/show_bug.cgi?id=754728#c7 For pulp, I believe we can just either update configuration or replace pulp certificates with symlinks to installer generated certificates. To start with, here is some information on pulp certificates: ========================================== CA ========================================== Usage: To authenticate access to content and REST API: Configuration: /etc/httpd/conf.d/pulp.conf Format: PEM Eg: [security] cacert: /etc/pki/pulp/ca.crt cakey: /etc/pki/pulp/ca.key Usage: To generate user (login) and consumer certificates: Configuration: /etc/httpd/conf.d/pulp.conf Format: PEM Eg: SSLCACertificateFile /etc/pki/pulp/ca.crt ========================================== SSL Server ========================================== Usage: Web server SSL Configuration: /etc/httpd/conf.d/ssl.conf Format: PEM Eg: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateFile /etc/pki/tls/certs/localhost.crt ========================================== QPID ========================================== see: https://fedorahosted.org/pulp/wiki/QPID @Jeff - thanks. Questions: What about this pulp-global-repo.ca? Can I symlink it to the pulp.crt? What about client configuration - how the CA is published to the client? Jeff W. reported when the pulp.crt is not self-signed it does not work (RHBZ 754728). Is Pulp supposed to work with this configuration or do you need to change it for support like that? I updated the pulp wiki[1] page that consolidates how pulp uses certificates and how it is configured. Still looking into RHBZ:754728. Suggested configuration steps: [CA] = The candlepin CA SERVER: * Edit /etc/httpd/conf.d/pulp.conf and set: SSLCACertificateFile to the location of the [CA]. * Enable global repo auth. * Add symlink in /etc/pki/content/pulp-global-repo.ca --> [CA]. * Edit: repo_auth.conf and enable:true * QPID configuration as defined on the pulp wiki[3] using the [CA]. CONSUMER: Uses existing RHSM configuration. How the agent works is documented on the katello wiki[2]. REFERENCES: [1] https://fedorahosted.org/pulp/wiki/Certificates [2] https://fedorahosted.org/katello/wiki/KatelloAgent [3] https://fedorahosted.org/pulp/wiki/QPID The step 2 "* Enable global repo auth." is redundant to step 4 which is more specific. Please disregard. Hey Lukas, Do you need anything further on this? If not, I'd like to get this off my plate. If you'd like to keep it open for tacking, perhaps we can just reassign? Thanks, Jeff Sorry. We implemented this and no changes on Pulp side are necessary. |