Bug 1260560 - https access to red hat repositories using debug certificate doesn't work
https access to red hat repositories using debug certificate doesn't work
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Repositories (Show other bugs)
6.1.1
Unspecified Unspecified
unspecified Severity high (vote)
: GA
: --
Assigned To: satellite6-bugs
Kedar Bidarkar
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-07 05:14 EDT by Fred van Zwieten
Modified: 2017-08-22 07:40 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-27 07:20:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
screenshot of issue in firefox (38.75 KB, image/png)
2015-09-07 05:14 EDT, Fred van Zwieten
no flags Details

  None (edit)
Description Fred van Zwieten 2015-09-07 05:14:48 EDT
Created attachment 1070872 [details]
screenshot of issue in firefox

Description of problem:
I can't get secure access to the re hat repositories using the https url as specified on the repository.

Version-Release number of selected component (if applicable):
6.1.1 GA
Firefox 4.0.3 on Fedora 22

How reproducible:


Steps to Reproduce:
1. Get Red Hat product and repositories into satellite 6.1 
2. Generate and download certificate
3. Import certificate into Firefox
4. Browse to repo's https url

Actual results:
403

Expected results:
A nice listing in my browser

Additional info:
In /var/log/http/foreman-ssl_access.log I get this:
172.16.1.1 - - [07/Sep/2015:10:54:40 +0200] "GET /pulp/repos/labs/Library/content/dist/rhel/server/7/7Server/x86_64/os HTTP/1.1" 403 270 "https://sat61.lab1.local/pulp/repos/labs/Library/content/dist/rhel/server/7/7Server/x86_64/os" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"

See screenshot to see what I got in firefox
Comment 3 Bryan Kearney 2015-09-24 08:54:14 EDT
Can you please test this once 1259248 is being tested. I wonder if these are related to the same issue.
Comment 6 Brad Buckingham 2016-05-02 15:14:30 EDT
Based on testing with Satellite 6.2 Beta Snap 9.x, this appears to have been solved.  I was able to 'download and generate' the debug certificate, import in to firefox and then browse RH repos.

I am going to move it ON_QA for verification.
Comment 7 Kedar Bidarkar 2016-05-23 15:13:28 EDT
We still face this issue while accessing the link via the URL.

[Mon May 23 14:58:10.883739 2016] [ssl:warn] [pid 37172] [client x.x.x.x:48152] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'
[Mon May 23 14:58:11.474003 2016] [ssl:error] [pid 37172] [client x.x.x.x:48152] AH02261: Re-negotiation handshake failed: Not accepted by client!?
[Mon May 23 14:58:11.782800 2016] [ssl:warn] [pid 29840] [client x.x.x.x:48147] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'
[Mon May 23 14:58:12.370481 2016] [ssl:error] [pid 29840] [client x.x.x.x:48147] AH02261: Re-negotiation handshake failed: Not accepted by client!?

TESTED with sat62-snap12.1

a) downloaded the "debug cert"
b) Imported it to the browser
c) While accessing the link via the browser we see the above messages in the log,
/var/log/httpd/foreman-ssl_error_ssl.log
Comment 9 Kedar Bidarkar 2016-05-23 16:05:30 EDT
Followed the below procedure to import the certs to FF and chrome.

Generating a Debug Certificate

1) From the GUI within Katello do the following:

a) Login as an administrator
b) Click the Administer -> Organizations link in the upper left
c) Find the Organization you imported your subscriptions and synced content ot
d) Click the "Debug certificate: [Generate and Download]" button. This would prompt for a download of a .pem file, save this locally. 

You will get the Private Key and Certificate returned to you in a format such as :

Key:  -----BEGIN RSA PRIVATE KEY-----
<<<<DER ENCODED TEXT>>>>
-----END RSA PRIVATE KEY-----

Cert: -----BEGIN CERTIFICATE-----
<<<<DER ENCODED TEXT>>>>
-----END CERTIFICATE-----

Using Firefox to browse content

If you wish to use the certificate to browse content via Firefox, do the following:

1)     Copy the output of the above command from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- inclusive to a file called key.pem

2) Copy the output of the above command from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive to a file called cert.pem

3) Run teh following command to create a pkcs12 file:
    openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in cert.pem -inkey key.pem -out [NAME].pfx -name [NAME]
    Provide a password when prompted.

4) Using the preferences tab, import the resulting [NAME].pfx file into your browser (Edit->Preferences->Advanced Tab -> View Certificates -> Import [Import under "your certificates"] )
Comment 10 Kedar Bidarkar 2016-05-23 16:07:40 EDT
VERIFIED with sat62-snap12.1


We can now browse the content using the debug-cert and following the above procedure.
Comment 11 Bryan Kearney 2016-07-27 07:20:51 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501

Note You need to log in before you can comment on or make changes to this bug.