Bug 1125030
| Summary: | pulp bindings can't be used with the system certificate pack | ||
|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | Randy Barlow <rbarlow> |
| Component: | z_other | Assignee: | Randy Barlow <rbarlow> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Preethi Thomas <pthomas> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | Master | CC: | pthomas |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | 2.4.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-08-09 06:55:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Randy Barlow
2014-07-30 22:34:00 UTC
Here are some steps to verify this bug: 1) Set all verify_ssl settings to True (consumer.conf, admin.conf, nodes.conf). 2) Leave ca_path to its default setting (/etc/pki/tls/certs/ca-bundle.crt) 3) Verify that pulp-admin <any command that talks to the server> gives you the ssl warning. 4) Generate a certificate authority certificate and key, and use them to sign Apache's certificates. 5) Copy the CA certificate (not the key!) to /etc/pki/ca-trust/source/anchors/ 6) Run "update-ca-trust extract" as root (this will install the CA to the file at /etc/pki/tls/certs/ca-bundle.crt.) 7) Verify that pulp-admin is now willing to communicate with pulp server with no SSL warnings. [root@cloud-qe-15 ~]# rpm -qa pulp-server
pulp-server-2.4.0-0.30.beta.el6.noarch
[root@cloud-qe-15 ~]#
[root@cloud-qe-15 ~]# pulp-admin repo list
+----------------------------------------------------------------------+
Repositories
+----------------------------------------------------------------------+
WARNING: The server's SSL certificate is untrusted!
The server's SSL certificate was not signed by a trusted authority. This could
be due to a man-in-the-middle attack, or it could be that the Pulp server needs
to have its certificate signed by a trusted authority. If you are willing to
accept the associated risks, you can set verify_ssl to False in the client
config's [server] section to disable this check.
[root@cloud-qe-15 ~]#
[root@cloud-qe-15 ~]# cp newcerts/ca.crt /etc/pki/ca-trust/source/anchors/
[root@cloud-qe-15 ~]# update-ca-trust enable
[root@cloud-qe-15 ~]# update-ca-trust extract
[root@cloud-qe-15 ~]#
[root@cloud-qe-15 ~]#
[root@cloud-qe-15 ~]# pulp-admin repo list
+----------------------------------------------------------------------+
Repositories
+----------------------------------------------------------------------+
Id: zoo
Display Name: zoo
Description: None
Content Unit Counts:
Erratum: 4
Package Category: 1
Package Group: 2
Rpm: 32
[root@cloud-qe-15 ~]#
This has been fixed in Pulp 2.4.0-1. |