Description of problem: /etc/pulp/server.conf contains: [tasks] broker_url: qpid://localhost:5671 celery_require_ssl: true cacert: /etc/pki/katello/certs/katello-default-ca.crt keyfile: /etc/pki/katello/qpid_client_striped.crt certfile: /etc/pki/katello/qpid_client_striped.crt However, pulp tries to connect to the IP and then claims the certificate doesn't match - the certificate DOES have a `localhost` CN. Sep 10 14:42:06 katello-centos7-bats.example.com pulp[24219]: pulp.server.async.scheduler:ERROR: Connection hostname '127.0.0.1' does not match names from peer certificate: ['katello-centos7-bats.example.com', 'localhost', u'katello-centos7-bats.example.com'] Version-Release number of selected component (if applicable): python-celery-3.1.11-1.el7.noarch pulp-docker-plugins-1.0.1-1.el7.noarch python-isodate-0.5.0-4.pulp.el7.noarch pulp-nodes-common-2.6.2-1.el7.noarch python-kombu-3.0.24-8.pulp.el7.noarch python-pulp-docker-common-1.0.1-1.el7.noarch pulp-server-2.6.2-1.el7.noarch python-pulp-rpm-common-2.6.2-1.el7.noarch python-rhsm-1.8.0-2.pulp.el7.x86_64 python-pulp-bindings-2.6.2-1.el7.noarch python-pulp-puppet-common-2.6.2-1.el7.noarch pulp-rpm-plugins-2.6.2-1.el7.noarch pulp-katello-0.4-3.el7.noarch rubygem-smart_proxy_pulp-1.0.1-2.el7.noarch python-pulp-common-2.6.2-1.el7.noarch pulp-selinux-2.6.2-1.el7.noarch pulp-puppet-plugins-2.6.2-1.el7.noarch pulp-puppet-tools-2.6.2-1.el7.noarch pulp-nodes-parent-2.6.2-1.el7.noarch How reproducible: Always Steps to Reproduce: 1. Configure pulp to connect to broker on localhost 2. Restart everything Actual results: Celery tries 127.0.0.1 for broker connection Expected results: Should use localhost Additional info:
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
The commit associated with the upstream issue create 3.0.24-10. The commit should cherry pick cleanly on the upstream 3.0.24-9 release of python-kombu. If there are any issues applying the cherry pick, NEEDSINFO me.
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Moving this to POST. Please verify once 2.7 or greater is incorporated into the build.
Verified this issue on Sat 6.2 snap 8.1 I see that pulp is trying to connect to localhost and not to IP: ERROR: ("Connection hostname 'localhost' does not match names from peer certificate: ['qeblade36.rhq.lab.eng.bos.redhat.com', u'qeblade36.rhq.lab.eng.bos.redhat.com']",) But I see still error related to this change of broker url to 'localhost' as above and also this: Apr 15 07:21:38 qeblade36 pulp: celery.worker.consumer:ERROR: (25749-58496) consumer: Cannot connect to qpid://localhost:5671//: ("Connection hostname 'localhost' does not match names from peer certificate: ['qeblade36.rhq.lab.eng.bos.redhat.com', u'qeblade36.rhq.lab.eng.bos.redhat.com']",). And as per my opinion, these errors looks out of contest of this bug. And the main issue of connecting to localhost is solved. Please feel free to reopen the bug, if I am wrong.
Moving this to Assigned. I further explore the impacts and I see that enabling Redhat Repos is failing with error - ' There was an issue with the backend service pulp: No pulp workers running.' due to see this change. And I believe this change is blocking and impacting the satelltie server as pulp workers are not running. So changing this to 'Failed QA'
Ah sorry, this probably should've just been marked as a dev task and not QE'd. It was just a bug fix in an underlying library that's needed for another BZ. I think you can mark this VERIFIED. Your test did verify the change worked. Previously, if you put localhost as the qpid URL, pulp would replace it with 127.0.0.1 and do all the SSL verification against that. Your test shows it's keeping the 'localhost' name. The certificate issue is totally expected. https://bugzilla.redhat.com/show_bug.cgi?id=1252573 is where we'll change the default to connect to localhost and update the certificates.
Moving this to verified as per comment 14 from Stephen. Thanks Stephen for the explanation.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1501