Bug 790157

Summary: Accessing protected repos on pulp via yum fails with a 403
Product: [Retired] Pulp Reporter: Pradeep Kilambi <pkilambi>
Component: user-experienceAssignee: James Slagle <jslagle>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: jmatthew, tsanders
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Pradeep Kilambi 2012-02-13 19:39:57 UTC 
Description of problem:

Here is my workflow which i think covers all the steps i performed to enable repo auth..

1. set repo_auth.conf to enabled to true

# cat /etc/pulp/repo_auth.conf |grep enabled
enabled: true


2. create my CA

# openssl genrsa -out caPulp.key 2048
Generating RSA private key, 2048 bit long modulus
............+++
.......+++
e is 65537 (0x10001)

# openssl req -new -x509 -days 365 -key caPulp.key -out caPulp.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Raleigh
Organization Name (eg, company) [Default Company Ltd]:RHT
Organizational Unit Name (eg, section) []:ENGG
Common Name (eg, your name or your server's hostname) []:Pulp Server CA
Email Address []:pkilambi

3. creating my entitlement certs

[root@domU-12-31-39-07-5C-DC ~]# openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
.........+++
e is 65537 (0x10001)

[root@domU-12-31-39-07-5C-DC ~]# cat extensions.txt 
[myRepo]
basicConstraints=CA:FALSE
1.3.6.1.4.1.2312.9.2.0000.1.1=ASN1:UTF8:Pulp Production MyRepo x86_64
1.3.6.1.4.1.2312.9.2.0000.1.2=ASN1:UTF8:pulp-prod-myrepo-64
1.3.6.1.4.1.2312.9.2.0000.1.6=ASN1:UTF8:repos/myRepo/

[root@domU-12-31-39-07-5C-DC ~]# openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Raleigh
Organization Name (eg, company) [Default Company Ltd]:RHT
Organizational Unit Name (eg, section) []:ENGG
Common Name (eg, your name or your server's hostname) []:Pulp Entitlement Certificate
Email Address []:pkilambi

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@domU-12-31-39-07-5C-DC ~]# openssl x509 -req -days 365 -CA caPulp.crt -CAkey caPulp.key -CAcreateserial -extfile extensions.txt -extensions myRepo -in client.csr -out client.crt
Signature ok
subject=/C=US/ST=North Carolina/L=Raleigh/O=RHT/OU=ENGG/CN=Pulp Entitlement Certificate/emailAddress=pkilambi
Getting CA Private Key

4. create an auth repo

[root@domU-12-31-39-07-5C-DC ~]# pulp-admin repo create --id=myRepo --name=myRepo --consumer_ca=caPulp.crt  --consumer_cert=client.crt --consumer_key=client.key
Successfully created repository [ myRepo ]

5. upload content

[root@domU-12-31-39-07-5C-DC ~]# pulp-admin content upload --repoid=myRepo --nosig znc-0.204-3.el4.i386.rpm 
* Starting Content Upload operation. See /var/log/pulp/client.log for more verbose output

* Performing Content Uploads to Pulp server

* Performing Repo Associations 
Packages skipped because of filters associated with the repository myRepo : 0

* Metadata generation has been scheduled for repository [myRepo] with a task id [9565c62e-5677-11e1-9ebb-123139075cdc]; use `pulp-admin repo generate_metadata --status` to check the status.

* Content Upload complete.


[root@domU-12-31-39-07-5C-DC ~]# cat /etc/pki/pulp/content/pulp-protected-repos
myRepo,myRepo

[root@domU-12-31-39-07-5C-DC ~]# ls -l /etc/pki/pulp/content/myRepo/
total 8
-rw-r--r--. 1 apache apache 1440 Feb 13 14:18 consumer-myRepo.ca
-rw-r--r--. 1 apache apache 3211 Feb 13 14:18 consumer-myRepo.cert



6. create a consumer and bind to it

[root@domU-12-31-39-07-5C-DC ~]# pulp-consumer -u admin -p admin consumer register --id=prad-con
warning: this client is not known to the pulp server; run 'pulp-consumer consumer register' to register it
Successfully registered consumer [ prad-con ]

7. bind the consumer to the repo

[root@domU-12-31-39-07-5C-DC ~]# pulp-consumer consumer bind --repoid=myRepo
Successfully subscribed consumer [prad-con] to repo [myRepo]

# ls -l /etc/pki/pulp/client/repo/myRepo/
total 8
-rw-r--r--. 1 root root 1440 Feb 13 14:19 ca.crt
-rw-r--r--. 1 root root 3211 Feb 13 14:19 client.crt


# cat /etc/yum.repos.d/pulp.repo
#
# Pulp Repositories
# Managed by Pulp client
#

[myRepo]
name = myRepo
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/pulp/client/repo/myRepo/ca.crt
sslclientcert = /etc/pki/pulp/client/repo/myRepo/client.crt
baseurl = https://x86-008.build.bos.redhat.com/pulp/repos/myRepo

# yum repolist
Loaded plugins: amazon-id, pulp-profile-update, rhui-lb, security
https://x86-008.build.bos.redhat.com/pulp/repos/myRepo/repodata/repomd.xml: [Errno 14] Peer cert cannot be verified or peer cert invalid
Trying other mirror.
repo id                                                          repo name                                                                            status
epel                                                             Extra Packages for Enterprise Linux 6 - x86_64                                       6,929
myRepo                                                           myRepo                                                                                   0
pulp-v1-testing                                                  Pulp v1 Testing                                                                          0
rhui-us-east-1-client-config-server-6                            Red Hat Update Infrastructure 2.0 Client Configuration Server 6                          0
rhui-us-east-1-rhel-server-releases                              Red Hat Enterprise Linux Server 6 (RPMs)                                                 0
rhui-us-east-1-rhel-server-releases-optional                     Red Hat Enterprise Linux Server 6 Optional (RPMs)                                        0
repolist: 6,929


# turn off ssl verify:
[root@domU-12-31-39-07-5C-DC ~]# yum repolist
Loaded plugins: amazon-id, pulp-profile-update, rhui-lb, security
https://x86-008.build.bos.redhat.com/pulp/repos/myRepo/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403"
Trying other mirror.
repo id                                                          repo name                                                                            status
epel                                                             Extra Packages for Enterprise Linux 6 - x86_64                                       6,929
myRepo                                                           myRepo                                                                                   0
pulp-v1-testing                                                  Pulp v1 Testing                                                                          0
rhui-us-east-1-client-config-server-6                            Red Hat Update Infrastructure 2.0 Client Configuration Server 6                          0
rhui-us-east-1-rhel-server-releases                              Red Hat Enterprise Linux Server 6 (RPMs)                                                 0
rhui-us-east-1-rhel-server-releases-optional                     Red Hat Enterprise Linux Server 6 Optional (RPMs)                                        0
repolist: 6,929



Error in ssl_error_log i see couple of errors:

[Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] Certificate to verify: 
[Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] \tsubject=</C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=Engineering/CN=x86-008.build.bos.redhat.com/emailAddress=pkilambi>, issuer=</C=US/ST=North Carolina/L=Raleigh/O=Red hat Inc/OU=Engineering/CN=x86-008.build.bos.redhat.com/emailAddress=pkilambi>, subject.as_hash=<411955543>, issuer.as_hash=<411955543>, fingerprint=<F626D0C5F27995050CC7947E7D27F529>, serial=<17116627806546844322>, version=<2>, check_ca=<0>, notBefore=<Feb 13 17:54:50 2012 GMT>, notAfter=<Feb 12 17:54:50 2013 GMT>
[Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] Using a CA Chain with 1 cert(s)
[Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] \tCA: subject=</C=US/ST=North Carolina/L=Raleigh/O=Red hat Inc/OU=Engineering/CN=x86-008.build.bos.redhat.com/emailAddress=pkilambi>, issuer=</C=US/ST=North Carolina/L=Raleigh/O=Red hat Inc/OU=Engineering/CN=x86-008.build.bos.redhat.com/emailAddress=pkilambi>, subject.as_hash=<411955543>, issuer.as_hash=<411955543>, fingerprint=<E6659ECD9FB90A4AE5D7DC9A747D34A2>, serial=<18341169043305500429>, version=<2>, check_ca=<1>, notBefore=<Feb 13 17:52:39 2012 GMT>, notAfter=<Feb 12 17:52:39 2013 GMT>
[Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] Using a CRL Stack with 0 CRL(s)Client certificate did not match the repo consumer CA certificate
[Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] mod_wsgi (pid=2671): Client denied by server configuration: '/var/www/pub/repos/testrepo/repodata/repomd.xml'.
[Mon Feb 13 14:20:04 2012] [error] [client 127.0.0.1] Request denied to destination [/pulp/repos/myRepo/repodata/repomd.xml]
[Mon Feb 13 14:20:04 2012] [error] [client 127.0.0.1] mod_wsgi (pid=2670): Client denied by server configuration: '/var/www/pub/repos/myRepo/repodata/repomd.xml'.
Comment 1 John Matthews 2012-02-14 01:52:23 UTC 
Something seems weird with the cert outputted in the log.

Based on the output from comment #0
1) the CA should have a CN of: Pulp Server CA
2) the ent cert should have a CN of: Pulp Entitlement Certificate

Yet the Pulp log shows the ent cert to verify and the CA both have a CN=x86-008.build.bos.redhat.com

Next step would be to run something like:
openssl x509 -in /etc/pki/pulp/content/myRepo/myRepo.ca -text
openssl x509 -in /etc/pki/pulp/content/myRepo/myRepo.crt -text

Also, it's worth noting that a separate cert/key were used and this isn't a combined cert/key in a single PEM, that may also be a factor of this bz.
Comment 2 Pradeep Kilambi 2012-02-14 14:30:27 UTC 
We tried this twice, the first time my CN was x86-008.build.bos.redhat.com and my result was still a 403. The log probably is showing the cert info from first run, but in both cases the result was the same.

Regarding the cert/key being separate, I already verified that when the bind happens, the cert that gets put down on the consumer is a pem file. SO even though we're passing in cert/key as sparate it gets combined on the server when it gets saved.

I already spoke to james about this on irc. He said he will validate it. There is a chance this is a non issue and i missed a step, but i tried it twice in a clean env and still got a 403.
Comment 3 James Slagle 2012-02-14 22:13:24 UTC 
I was able to reproduce the error with sslverify=1 needing to be turned off, but once I did that, I got access to the repo.

As to why sslverify=0 is needed, it's because we are sending down the wrong CA cert to the client during the bind operation to use for the sslcacert value.  The CA we send down is the one that signed the client entitlement certificate, not the one that signed the server's apache ssl certificate.

The code that does this is in pulp/server/consumer_utils.py at line 83.  That code reads the consumer_ca attribute on the repo object and sends that down as cacert in the bind data, which gets saved as sslcacert in the yum config on the client.  The consumer_ca file on the repo object is the CA that's used server side to verify the client certificate.  This needs to be fixed.

Fixing this is going to be tricky.  Mainly because we don't have know the path to the CA that signed the apache SSL certificate anywhere in pulp.  This information isn't required for anything server side, and in fact you don't even have to have the CA available anywhere.

Furthermore, it's possible that the server's SSL certificate is self signed in which case, there is no CA, we'd need to pass down the certificate itself.

I think what we need to do is add a new config to /etc/pulp/pulp.conf to add the path to the CA that signed the server's SSL certificate.  If that certificate is self signed, this can be the path to the certificate itself.  We can default the value to /etc/pki/tls/certs/localhost.crt, which is the default path to the server's SSL certificate in /etc/httpd/conf.d/ssl.conf.  We can then read this config and pass this certificate down to the client as cacert in the bind data.
Comment 4 James Slagle 2012-02-14 23:07:54 UTC 
Ok, I was able to verify the repo auth error as well even with sslverify=0 set, so now I'm looking into that.
Comment 5 James Slagle 2012-02-14 23:39:33 UTC 
The 403 repo auth failure is due to an error in the blog post example at http://blog.pulpproject.org/2011/05/18/pulp-protected-repositories/.

The OID extension should not start with /repos.  We actually strip out /pulp/repos from the beginning of the requested url, not just /pulp.

As far as I can tell the repo auth code has always done this, so I'm not sure why that blog post shows what it does.  I seem to have a vague recollection that the repo path on the pulp server changed, didn't it used to be under 2 repo dirs, like /pulp/repos/repos?

If I generate a client certificate without the initial /repos in the extension I can get the repo auth to work (minus the sslverify issue of course).
Comment 6 James Slagle 2012-02-16 19:47:58 UTC 
fix from comment #3 committed to pulp master 9d2f3265ddbe9384c8060c48f9eac40333122d64
Comment 7 James Slagle 2012-02-16 20:26:01 UTC 
user guide changes updated at https://fedorahosted.org/pulp/wiki/UGRepoAuth
Comment 8 Jeff Ortel 2012-02-17 17:17:52 UTC 
build: 0.267
Comment 9 Preethi Thomas 2012-02-22 15:57:54 UTC 
verified
[root@preethi chain_example]# rpm -q pulp
pulp-0.0.267-1.fc15.noarch

[root@preethi-el6-pulp ~]# yum repolist
Loaded plugins: product-id, pulp-profile-update, security, subscription-manager
Updating certificate-based repositories.
pulp_f15_x86_64                                          | 2.9 kB     00:00     
pulp_f15_x86_64/primary_db                               |  11 kB     00:00     
rhel6                                                    | 4.0 kB     00:00     
rhel6/primary_db                                         | 3.1 MB     00:02     
rhel6_2                                                  | 3.7 kB     00:00     
rhel6_2/primary_db                                       |  11 MB     00:03     
repo id             repo name                                             status
epel                Extra Packages for Enterprise Linux 6 - x86_64        6,991
pulp-v1-testing     Pulp v1 Testing                                          20
pulp_f15_x86_64     pulp_f15_x86_64                                          20
rhel6               Red Hat Enterprise Linux 6Server - x86_64 - RHEL6     3,529
rhel6_2             rhel6_2                                               6,862
repolist: 17,422
[root@preethi-el6-pulp ~]# cat /etc/yum.repos.d/
epel.repo          pulp.repo          rhel-pulp.repo     rhel-source.repo
epel-testing.repo  redhat.repo        rhel-pulp.repo.1   
[root@preethi-el6-pulp ~]# cat /etc/yum.repos.d/pulp.repo 
#
# Pulp Repositories
# Managed by Pulp client
#

[rhel6_2]
name = rhel6_2
enabled = 1
sslverify = 0
gpgcheck = 0
baseurl = https://preethi.usersys.redhat.com/pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/os

[pulp_f15_x86_64]
name = pulp_f15_x86_64
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/pulp/client/repo/pulp_f15_x86_64/ca.crt
sslclientcert = /etc/pki/pulp/client/repo/pulp_f15_x86_64/client.crt
baseurl = https://preethi.usersys.redhat.com/pulp/repos/repos/pulp/pulp/v1/testing/fedora-15/x86_64[root@preethi-el6-pulp ~]#
Comment 10 Preethi Thomas 2012-02-24 20:18:27 UTC 
Pulp v1.0 is released
Closed Current Release.
Comment 11 Preethi Thomas 2012-02-24 20:19:09 UTC 
Pulp v1.0 is released.