Created attachment 1070872 [details] screenshot of issue in firefox Description of problem: I can't get secure access to the re hat repositories using the https url as specified on the repository. Version-Release number of selected component (if applicable): 6.1.1 GA Firefox 4.0.3 on Fedora 22 How reproducible: Steps to Reproduce: 1. Get Red Hat product and repositories into satellite 6.1 2. Generate and download certificate 3. Import certificate into Firefox 4. Browse to repo's https url Actual results: 403 Expected results: A nice listing in my browser Additional info: In /var/log/http/foreman-ssl_access.log I get this: 172.16.1.1 - - [07/Sep/2015:10:54:40 +0200] "GET /pulp/repos/labs/Library/content/dist/rhel/server/7/7Server/x86_64/os HTTP/1.1" 403 270 "https://sat61.lab1.local/pulp/repos/labs/Library/content/dist/rhel/server/7/7Server/x86_64/os" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0" See screenshot to see what I got in firefox
Can you please test this once 1259248 is being tested. I wonder if these are related to the same issue.
Based on testing with Satellite 6.2 Beta Snap 9.x, this appears to have been solved. I was able to 'download and generate' the debug certificate, import in to firefox and then browse RH repos. I am going to move it ON_QA for verification.
We still face this issue while accessing the link via the URL. [Mon May 23 14:58:10.883739 2016] [ssl:warn] [pid 37172] [client x.x.x.x:48152] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN' [Mon May 23 14:58:11.474003 2016] [ssl:error] [pid 37172] [client x.x.x.x:48152] AH02261: Re-negotiation handshake failed: Not accepted by client!? [Mon May 23 14:58:11.782800 2016] [ssl:warn] [pid 29840] [client x.x.x.x:48147] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN' [Mon May 23 14:58:12.370481 2016] [ssl:error] [pid 29840] [client x.x.x.x:48147] AH02261: Re-negotiation handshake failed: Not accepted by client!? TESTED with sat62-snap12.1 a) downloaded the "debug cert" b) Imported it to the browser c) While accessing the link via the browser we see the above messages in the log, /var/log/httpd/foreman-ssl_error_ssl.log
Followed the below procedure to import the certs to FF and chrome. Generating a Debug Certificate 1) From the GUI within Katello do the following: a) Login as an administrator b) Click the Administer -> Organizations link in the upper left c) Find the Organization you imported your subscriptions and synced content ot d) Click the "Debug certificate: [Generate and Download]" button. This would prompt for a download of a .pem file, save this locally. You will get the Private Key and Certificate returned to you in a format such as : Key: -----BEGIN RSA PRIVATE KEY----- <<<<DER ENCODED TEXT>>>> -----END RSA PRIVATE KEY----- Cert: -----BEGIN CERTIFICATE----- <<<<DER ENCODED TEXT>>>> -----END CERTIFICATE----- Using Firefox to browse content If you wish to use the certificate to browse content via Firefox, do the following: 1) Copy the output of the above command from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- inclusive to a file called key.pem 2) Copy the output of the above command from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive to a file called cert.pem 3) Run teh following command to create a pkcs12 file: openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in cert.pem -inkey key.pem -out [NAME].pfx -name [NAME] Provide a password when prompted. 4) Using the preferences tab, import the resulting [NAME].pfx file into your browser (Edit->Preferences->Advanced Tab -> View Certificates -> Import [Import under "your certificates"] )
VERIFIED with sat62-snap12.1 We can now browse the content using the debug-cert and following the above procedure.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1501
Yet another shameful Red Hat disgrace. WHAT IS THE POINT OF GIVING PEOPLE A .PEM FILE THAT CANNOT BE IMPORTED? WHY FORCE USERS TO CONVERT THE .PEM TO A .PFX FILE?? JUST PROVIDE THE CERTIFICATE IN .PFX FORM FOR CHRISTS SAKE.
Every single thing Red Hat touches, they have to make as much of a pain in the ass as possible.