Bug 798418

Summary: Cannot access protected repos via browser with imported uber cert
Product: [Retired] Pulp Reporter: Justin Sherrill <jsherril>
Component: z_otherAssignee: Sayli Karmarkar <skarmark>
Status: CLOSED NOTABUG QA Contact: Preethi Thomas <pthomas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: cperry
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-28 20:58:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Justin Sherrill 2012-02-28 20:20:18 UTC 
Description of problem:

Followed directions here:
https://fedorahosted.org/katello/wiki/GuideDebugCertificates

to generate and import an ubercert.  Reproducing here for history:



1.  Download uber cert
2.  Copy from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- inclusive to a file called key.pem
3.  Copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive to a file called cert.pem
4.  Run the following command to create a pkcs12 file:

    openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in cert.pem -inkey key.pem -out [NAME].pfx -name [NAME]

    Provide a password when prompted.
5.  Using the preferences tab, import the resulting pfx file into your browser (Edit->Preferences->Advanced Tab -> View Certificates -> Import)
6.  On the Katello server, edit the /etc/httpd/conf.d/pulp.conf file. Add the following line in the <Directory /var/www/pub/repos> Stanza:

        Options Indexes

7.    Restart Apache on the server.
8.    Point your browser at  http://[FQDN]/pulp/repos/[ORG_NAME] 


After doing so, I still get a 304 when accessing through the browser.  Accessing via curl works fine.


Only error i see in apache ssl error logs is:


[Tue Feb 28 14:49:45 2012] [info] Connection: Client IP: 10.11.231.171, Protocol: TLSv1, Cipher: DHE-RSA-CAMELLIA256-SHA (256/256 bits)
[Tue Feb 28 14:49:45 2012] [info] [client 10.11.231.171] mod_wsgi (pid=4652, process='', application=''): Loading WSGI script '/srv/pulp/repo_auth.wsgi'.
[Tue Feb 28 14:49:45 2012] [error] [client 10.11.231.171] mod_wsgi (pid=4652): Client denied by server configuration: '/var/www/pub/repos/ACME_Corporation/Library/custom/zoo/zoorepo/repodata/repomd.xml'.


pulp-0.0.267-2.el6.noarch
Comment 1 Justin Sherrill 2012-02-28 20:58:38 UTC 
Issue ended up being that in /etc/httpd/conf.d/pulp.conf SSLCACertificateFile was not set to the same as in /etc/pulp/pulp.conf  (was not set to the candlepin certs).


Fixing that fixed it.