1260560 – https access to red hat repositories using debug certificate doesn't work

Bug 1260560 - https access to red hat repositories using debug certificate doesn't work

Summary: https access to red hat repositories using debug certificate doesn't work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Repositories
Sub Component:
Version:	6.1.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Kedar Bidarkar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-07 09:14 UTC by Fred van Zwieten
Modified:	2023-11-06 03:13 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-27 11:20:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
screenshot of issue in firefox (38.75 KB, image/png) 2015-09-07 09:14 UTC, Fred van Zwieten	no flags	Details
View All

Description Fred van Zwieten 2015-09-07 09:14:48 UTC

Created attachment 1070872 [details]
screenshot of issue in firefox

Description of problem:
I can't get secure access to the re hat repositories using the https url as specified on the repository.

Version-Release number of selected component (if applicable):
6.1.1 GA
Firefox 4.0.3 on Fedora 22

How reproducible:


Steps to Reproduce:
1. Get Red Hat product and repositories into satellite 6.1 
2. Generate and download certificate
3. Import certificate into Firefox
4. Browse to repo's https url

Actual results:
403

Expected results:
A nice listing in my browser

Additional info:
In /var/log/http/foreman-ssl_access.log I get this:
172.16.1.1 - - [07/Sep/2015:10:54:40 +0200] "GET /pulp/repos/labs/Library/content/dist/rhel/server/7/7Server/x86_64/os HTTP/1.1" 403 270 "https://sat61.lab1.local/pulp/repos/labs/Library/content/dist/rhel/server/7/7Server/x86_64/os" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"

See screenshot to see what I got in firefox

Comment 3 Bryan Kearney 2015-09-24 12:54:14 UTC

Can you please test this once 1259248 is being tested. I wonder if these are related to the same issue.

Comment 6 Brad Buckingham 2016-05-02 19:14:30 UTC

Based on testing with Satellite 6.2 Beta Snap 9.x, this appears to have been solved.  I was able to 'download and generate' the debug certificate, import in to firefox and then browse RH repos.

I am going to move it ON_QA for verification.

Comment 7 Kedar Bidarkar 2016-05-23 19:13:28 UTC

We still face this issue while accessing the link via the URL.

[Mon May 23 14:58:10.883739 2016] [ssl:warn] [pid 37172] [client x.x.x.x:48152] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'
[Mon May 23 14:58:11.474003 2016] [ssl:error] [pid 37172] [client x.x.x.x:48152] AH02261: Re-negotiation handshake failed: Not accepted by client!?
[Mon May 23 14:58:11.782800 2016] [ssl:warn] [pid 29840] [client x.x.x.x:48147] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN'
[Mon May 23 14:58:12.370481 2016] [ssl:error] [pid 29840] [client x.x.x.x:48147] AH02261: Re-negotiation handshake failed: Not accepted by client!?

TESTED with sat62-snap12.1

a) downloaded the "debug cert"
b) Imported it to the browser
c) While accessing the link via the browser we see the above messages in the log,
/var/log/httpd/foreman-ssl_error_ssl.log

Comment 9 Kedar Bidarkar 2016-05-23 20:05:30 UTC

Followed the below procedure to import the certs to FF and chrome.

Generating a Debug Certificate

1) From the GUI within Katello do the following:

a) Login as an administrator
b) Click the Administer -> Organizations link in the upper left
c) Find the Organization you imported your subscriptions and synced content ot
d) Click the "Debug certificate: [Generate and Download]" button. This would prompt for a download of a .pem file, save this locally. 

You will get the Private Key and Certificate returned to you in a format such as :

Key:  -----BEGIN RSA PRIVATE KEY-----
<<<<DER ENCODED TEXT>>>>
-----END RSA PRIVATE KEY-----

Cert: -----BEGIN CERTIFICATE-----
<<<<DER ENCODED TEXT>>>>
-----END CERTIFICATE-----

Using Firefox to browse content

If you wish to use the certificate to browse content via Firefox, do the following:

1)     Copy the output of the above command from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- inclusive to a file called key.pem

2) Copy the output of the above command from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive to a file called cert.pem

3) Run teh following command to create a pkcs12 file:
    openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in cert.pem -inkey key.pem -out [NAME].pfx -name [NAME]
    Provide a password when prompted.

4) Using the preferences tab, import the resulting [NAME].pfx file into your browser (Edit->Preferences->Advanced Tab -> View Certificates -> Import [Import under "your certificates"] )

Comment 10 Kedar Bidarkar 2016-05-23 20:07:40 UTC

VERIFIED with sat62-snap12.1


We can now browse the content using the debug-cert and following the above procedure.

Comment 11 Bryan Kearney 2016-07-27 11:20:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501

Comment 13 John 2023-11-06 03:09:22 UTC

Yet another shameful Red Hat disgrace.

WHAT IS THE POINT OF GIVING PEOPLE A .PEM FILE THAT CANNOT BE IMPORTED?

WHY FORCE USERS TO CONVERT THE .PEM TO A .PFX FILE??


JUST PROVIDE THE CERTIFICATE IN .PFX FORM FOR CHRISTS SAKE.

Comment 14 John 2023-11-06 03:13:44 UTC

Every single thing Red Hat touches, they have to make as much of a pain in the ass as possible.

Note You need to log in before you can comment on or make changes to this bug.