1339243 – repo auth turned off on installation

Bug 1339243 - repo auth turned off on installation

Summary: repo auth turned off on installation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Justin Sherrill
QA Contact:	Roman Plevka
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-24 13:03 UTC by Justin Sherrill
Modified:	2019-09-26 16:20 UTC (History)
CC List:	2 users (show)
Fixed In Version:	katello-installer-base-3.0.0.42-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-27 11:16:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	13682	0	None	None	None	2016-05-24 14:08:55 UTC

Description Justin Sherrill 2016-05-24 13:03:13 UTC

Comment 1 Justin Sherrill 2016-05-24 13:03:15 UTC

Created from redmine issue http://projects.theforeman.org/issues/13682

Comment 2 Justin Sherrill 2016-05-24 13:03:18 UTC

Upstream bug assigned to jsherril

Comment 3 Justin Sherrill 2016-05-24 13:06:27 UTC

Repo authentication was turned off due to a candlepin bug https://bugzilla.redhat.com/show_bug.cgi?id=1242310

now that that is fixed it needs to be turned back on.  What does this mean?

Currently in 6.2 beta when a client requests access to a repo on the main satellite server, as long as the cert it presents is valid (signed by the ca) it is allowed access.  It doesn't need to have a valid entitlement or anything like that (it could present its own identity cert even).

It was never turned off on the capsule, only the main satellite server.

Comment 5 Bryan Kearney 2016-05-24 16:17:47 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/13682 has been closed

Comment 6 Roman Plevka 2016-07-18 16:11:32 UTC

VERIFIED
on sat6.2. snap20.2

<pre>

# curl -v --key /etc/pki/katello/qpid_router_client.key --cert /etc/pki/katello/qpid_router_client.crt https://sat6.server.com/pulp/repos/Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/os/
* About to connect() to sat6.server.com port 443 (#0)
*   Trying 10.16.186.63... connected
* Connected to sat6.server.com (10.16.186.63) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate from file
* 	subject: CN=sat6.server.com,OU=SomeOrgUnit,O=dispatch client,ST=North Carolina,C=US
* 	start date: Jul 11 08:51:15 2016 GMT
* 	expire date: Jul 13 08:51:15 2036 GMT
* 	common name: sat6.server.com
* 	issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,ST=North Carolina,C=US
* 	start date: Jul 11 08:53:24 2016 GMT
* 	expire date: Jul 13 08:53:24 2036 GMT
* 	common name: sat6.server.com
* 	issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US
> GET /pulp/repos/Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/os/ HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: sat6.server.com
> Accept: */*
> 
* NSS: client certificate from file
* 	subject: CN=sat6.server.com,OU=SomeOrgUnit,O=dispatch client,ST=North Carolina,C=US
* 	start date: Jul 11 08:51:15 2016 GMT
* 	expire date: Jul 13 08:51:15 2036 GMT
* 	common name: sat6.server.com
* 	issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US
* NSS: client certificate from file
* 	subject: CN=sat6.server.com,OU=SomeOrgUnit,O=dispatch client,ST=North Carolina,C=US
* 	start date: Jul 11 08:51:15 2016 GMT
* 	expire date: Jul 13 08:51:15 2036 GMT
* 	common name: sat6.server.com
* 	issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US
< HTTP/1.1 403 FORBIDDEN
< Date: Mon, 18 Jul 2016 16:03:09 GMT
< Server: Apache/2.2.15 (Red Hat)
< Content-Length: 0
< Vary: Accept-Encoding
< Content-Type: text/html; charset=utf-8
< 
* Connection #0 to host sat6.server.com left intact
* Closing connection #0

</pre>

Using organization debug certifiate:

<pre>
$ curl -k --cert ~/Downloads/Default\ Organization-key-cert.pem https://sat6.server.com/pulp/repos/Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/os/ | head -n20
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Pulp Repository Index</title>
</head>
<body>
    <h1>Pulp Repository Content</h1>
    <a href="../">Parent Directory</a>
    <ul style='list-style: none outside none; font-family: monospace'>
            <li><a href="repodata/">repodata/</a></li>
            <li><a href="389-ds-base-1.3.1.6-25.el7.x86_64.rpm">389-ds-base-1.3.1.6-25.el7.x86_64.rpm</a></li>
            <li><a href="389-ds-base-1.3.1.6-26.el7_0.x86_64.rpm">389-ds-base-1.3.1.6-26.el7_0.x86_64.rpm</a></li>

</pre>

Comment 7 Bryan Kearney 2016-07-27 11:16:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501

Note You need to log in before you can comment on or make changes to this bug.