Bug 1089487 - Need clearer error for user-cert.pem conflicts with shared home directory between two nodes
Summary: Need clearer error for user-cert.pem conflicts with shared home directory bet...
Alias: None
Product: Pulp
Classification: Retired
Component: documentation
Version: 2.3
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: pulp-bugs
QA Contact: pulp-qe-list
Depends On:
TreeView+ depends on / blocked
Reported: 2014-04-19 16:57 UTC by Jason
Modified: 2015-02-28 22:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-02-28 22:05:00 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Pulp Redmine 417 0 None None None Never

Description Jason 2014-04-19 16:57:15 UTC
Description of problem:
This is a pretty specific "gotcha" I was having, but had me scratching my head.   Our home directories are shared across a handful of servers in our environment, so ~/.pulp/user-cert.pem can be a source of conflicts.

Version-Release number of selected component (if applicable):
Pulp 2.3 on CentOS 6.5

How reproducible:

Steps to Reproduce:
1.  Login to parent server and do some sort of pulp-admin command.

jason@pulpmaster~> pulp-admin login -u admin
jason@pulpmaster~> pulp-admin node repo list
                          Enabled Repositories

repos are successfully listed here...

2. Try a pulp-admin command on child server.  User jason has a nfs-shared home directory between pulpparent and pulpchild. 

jason@pulpchild:~> pulp-admin node repo list
                          Enabled Repositories

An error occurred attempting to contact the server. More information can be
found in the client log file ~/.pulp/admin.log.

Conversely, if I log into the child first, then I can do pulp-admin commands on the child, but then I get the errors on the parent.

Actual results:

~/.pulp/admin.log shows a generic "sslv3 bad certificate" error.

Expected results:

An error message saying the ~/.pulp/user-cert.pem is invalid.  I wasn't sure what certificate it was complaining about - the server cert, CA, or user cert.  Also a note in the documentation about this "gotcha" would be nice for people setting up multiple pulp servers with shared user directories (per solution below).

Additional info:

The solution is to make the user cert filename host-specific in /etc/pulp/admin/admin.conf:

extensions_dir = /usr/lib/pulp/admin/extensions
# Location to store the authentication certificate to pass to the server
id_cert_dir = ~/.pulp
id_cert_filename = user-cert.hostname.pem

Comment 1 Brian Bouterse 2015-02-28 22:05:00 UTC
Moved to https://pulp.plan.io/issues/417

Note You need to log in before you can comment on or make changes to this bug.