| Summary: | Pulp certificate configuration inconsistent | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | James Laska <jlaska> |
| Component: | Installer | Assignee: | Martin Bacovsky <mbacovsk> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Og Maciel <omaciel> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0.0 | CC: | bkearney, jason.dobies, jturner, mbacovsk, mmccune, omaciel, tsanders |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-22 18:30:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
James Laska
2012-03-05 18:10:45 UTC
So there is no error message there. Just to clean it a bit. It's apparently unused. These are all used and, from what I can tell, correctly set. I'll break it down by entry above: == /etc/pulp/pulp.conf == > [security] > cacert: /etc/candlepin/certs/candlepin-ca.crt From the pulp.conf itself: # full path to the CA certificate that will be used to sign # consumer and admin identification certificates. This MUST match # the value of SSLCACertificateFile in /etc/httpd/conf.d/pulp.conf The reason it must match is because Pulp creates the admin/consumer certificates and signs them with that CA, whereas Apache verifies them when they are used. If in Katello Pulp isn't creating any certificates, this specific entry probably isn't used. But I wouldn't go hacking away at Pulp's conf file, there may still be integrity checks on Pulp's config that require it to be present. == /etc/httpd/conf.d/pulp.conf > SSLCACertificateFile /etc/pki/pulp/ca.crt See above explanation. This is the Apache side of it. == /etc/pulp/repo_auth.conf == > [repos] > cert_location: /etc/pki/pulp/content > global_cert_location: /etc/pki/pulp/content > # ls -l /etc/pki/pulp/content/7e764a0e.r0 /etc/pki/pulp/content/pulp-global-repo.ca > lrwxrwxrwx. 1 root root 36 Mar 2 07:20 /etc/pki/pulp/content/7e764a0e.r0 -> /var/lib/candlepin/candlepin-crl.crl > lrwxrwxrwx. 1 root root 37 Mar 2 07:20 /etc/pki/pulp/content/pulp-global-repo.ca -> /etc/candlepin/certs/candlepin-ca.crt The above two sections refered to consumer/admin user certificates into Pulp's REST APIs. This section refers to the entitlement certificates used for repo access. Pulp (not Apache) will look in here for the CA that signed the entitlement certificate to ensure the client attempting to access the repo hasn't self-signed an entitlement in an effort to steal content. The reason this points to candlepin CAs is because it's candlepin signing the entitlement certs. My suggestion is to just leave it alone. It's not hurting anything and I can't vouch for how happy Pulp will be if you start removing expected config values (not to mention there's an ugly half-finished mechanism in the server that will add these back with defaults if they are missing, which would be really hard to debug). Problem with configuration of SSL CA certificate in /etc/httpd/conf.d/pulp.conf has been fixed since katello-configure-0.1.102. See bz #798454. # cat /etc/httpd/conf.d/pulp.conf |grep SSLCACert SSLCACertificateFile /etc/candlepin/certs/candlepin-ca.crt According to comments above I believe /etc/pulp/repo_auth.conf does not need any adjustments Verified: * candlepin-0.5.24-1.el6.noarch * candlepin-tomcat6-0.5.24-1.el6.noarch * katello-0.1.303-1.el6.noarch * katello-all-0.1.303-1.el6.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.0.4-1.el6.noarch * katello-cli-0.1.102-1.el6.noarch * katello-cli-common-0.1.102-1.el6.noarch * katello-common-0.1.303-1.el6.noarch * katello-configure-0.1.104-1.el6.noarch * katello-glue-candlepin-0.1.303-1.el6.noarch * katello-glue-foreman-0.1.303-1.el6.noarch * katello-glue-pulp-0.1.303-1.el6.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-0.1.8-1.el6.noarch * pulp-1.0.0-4.el6.noarch * pulp-common-1.0.0-4.el6.noarch * pulp-selinux-server-1.0.0-4.el6.noarch |