Bug 1210878 - [RFE] Allow user to disable SSL verification for custom repositories hosted via SSL
Summary: [RFE] Allow user to disable SSL verification for custom repositories hosted v...
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Repositories
Version: 6.0.8
Hardware: Unspecified
OS: Unspecified
medium vote
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Peter Ondrejka
Depends On:
TreeView+ depends on / blocked
Reported: 2015-04-10 19:01 UTC by Rich Jerrido
Modified: 2022-03-13 14:18 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2018-02-21 12:29:34 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 15802 0 Normal Closed Need a quick way to allow "insecure" syncs 2021-02-04 07:04:42 UTC
Red Hat Issue Tracker SAT-8956 0 None None None 2022-03-13 14:18:03 UTC
Red Hat Product Errata RHSA-2018:0336 0 normal SHIPPED_LIVE Important: Satellite 6.3 security, bug fix, and enhancement update 2018-02-21 22:43:42 UTC

Description Rich Jerrido 2015-04-10 19:01:08 UTC
Description of problem:
As a user, I have multiple yum repositories that I wish to use with Satellite 6. These repositories are internal to my organization, and are hosted via SSL via self-signed certificates. 

When synchronizing these repositories in Satellite 6, synchronization fails with

"[Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a custom product
2. Create a repository of type 'yum' associated with the custom product
3. Set the URL to https://foo.bar.com where https://foo.bar.com has a self-signed cert. 
4. Attempt to sync the repository. 

Actual results:

"[Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

Expected results:

The repository should be synchronized. 

Additional info:

This RFE requests the ability to disable SSL verification on a per-repository basis, with the appropriate options in hammer-cli and the API to do the same.

Comment 1 RHEL Program Management 2015-04-10 19:13:31 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Bryan Kearney 2015-10-01 14:55:59 UTC
If I can find a way to put a self signed CA in the chain of trust, is that sufficient?

Comment 4 Bryan Kearney 2015-10-01 15:55:08 UTC
Note, you can add the self signed CA to the OS CA store using update-ca-trust. This can be done w/o a pulp restart. Or you can use


and restart pulp

Comment 5 Rich Jerrido 2015-10-02 11:38:41 UTC
(In reply to Bryan Kearney from comment #3)
> If I can find a way to put a self signed CA in the chain of trust, is that
> sufficient?

In a strict sense, yes. However, I am not a fan of updating the operating systems CA store because:

* It assumes the user of Satellite is the 'root' user on the system running Satellite. (Many Satellites will be deployed in a multi-org configuration where this is not the case)

* It allows any other applications which use the OS' CA store to connect to any other website/service which is signed via the same CA (which may or may not be desirable)

* It is a workflow that I cannot drive via Satellite's UI (and the API & CLI). 

For these reasons I still favor having 'perform SSL Verification' as a property of the repository itself, allowing the user to toggle it on/off as per their needs.

Comment 7 Bryan Kearney 2016-01-15 13:06:04 UTC
Michael: Should I add a version of this to an upstream pulp bug? Seems like I need it in pulp first, then katello to expose it.

Comment 8 Michael Hrivnak 2016-01-15 20:54:37 UTC
Pulp already has both options. Per-repo, or even per-sync if you like, you can provide a CA cert to use for verification, or turn off SSL verification.

See the settings "ssl_ca_cert" and "ssl_verification"


+1 to all of Rich's comments in #5.

I think this is ready for katello to expose in the UI.

Comment 9 Bryan Kearney 2016-08-04 20:11:15 UTC
Moving 6.2 bugs out to sat-backlog.

Comment 11 Justin Sherrill 2017-10-12 13:38:14 UTC
This is resolved upstream and will appear in satellite 6.3.0, re-aligning.  Feel free to correct any knob i pulled incorrectly :)

Comment 12 Peter Ondrejka 2017-12-06 15:21:02 UTC
Verified in Sat 6.3 snap 27, verify ssl option has been added to repository options.

Comment 15 errata-xmlrpc 2018-02-21 12:29:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.