Created from redmine issue http://projects.theforeman.org/issues/13682
Upstream bug assigned to jsherril
Repo authentication was turned off due to a candlepin bug https://bugzilla.redhat.com/show_bug.cgi?id=1242310 now that that is fixed it needs to be turned back on. What does this mean? Currently in 6.2 beta when a client requests access to a repo on the main satellite server, as long as the cert it presents is valid (signed by the ca) it is allowed access. It doesn't need to have a valid entitlement or anything like that (it could present its own identity cert even). It was never turned off on the capsule, only the main satellite server.
Moving to POST since upstream bug http://projects.theforeman.org/issues/13682 has been closed
VERIFIED on sat6.2. snap20.2 <pre> # curl -v --key /etc/pki/katello/qpid_router_client.key --cert /etc/pki/katello/qpid_router_client.crt https://sat6.server.com/pulp/repos/Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/os/ * About to connect() to sat6.server.com port 443 (#0) * Trying 10.16.186.63... connected * Connected to sat6.server.com (10.16.186.63) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS: client certificate from file * subject: CN=sat6.server.com,OU=SomeOrgUnit,O=dispatch client,ST=North Carolina,C=US * start date: Jul 11 08:51:15 2016 GMT * expire date: Jul 13 08:51:15 2036 GMT * common name: sat6.server.com * issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,ST=North Carolina,C=US * start date: Jul 11 08:53:24 2016 GMT * expire date: Jul 13 08:53:24 2036 GMT * common name: sat6.server.com * issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US > GET /pulp/repos/Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/os/ HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: sat6.server.com > Accept: */* > * NSS: client certificate from file * subject: CN=sat6.server.com,OU=SomeOrgUnit,O=dispatch client,ST=North Carolina,C=US * start date: Jul 11 08:51:15 2016 GMT * expire date: Jul 13 08:51:15 2036 GMT * common name: sat6.server.com * issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US * NSS: client certificate from file * subject: CN=sat6.server.com,OU=SomeOrgUnit,O=dispatch client,ST=North Carolina,C=US * start date: Jul 11 08:51:15 2016 GMT * expire date: Jul 13 08:51:15 2036 GMT * common name: sat6.server.com * issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US < HTTP/1.1 403 FORBIDDEN < Date: Mon, 18 Jul 2016 16:03:09 GMT < Server: Apache/2.2.15 (Red Hat) < Content-Length: 0 < Vary: Accept-Encoding < Content-Type: text/html; charset=utf-8 < * Connection #0 to host sat6.server.com left intact * Closing connection #0 </pre> Using organization debug certifiate: <pre> $ curl -k --cert ~/Downloads/Default\ Organization-key-cert.pem https://sat6.server.com/pulp/repos/Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/os/ | head -n20 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Pulp Repository Index</title> </head> <body> <h1>Pulp Repository Content</h1> <a href="../">Parent Directory</a> <ul style='list-style: none outside none; font-family: monospace'> <li><a href="repodata/">repodata/</a></li> <li><a href="389-ds-base-1.3.1.6-25.el7.x86_64.rpm">389-ds-base-1.3.1.6-25.el7.x86_64.rpm</a></li> <li><a href="389-ds-base-1.3.1.6-26.el7_0.x86_64.rpm">389-ds-base-1.3.1.6-26.el7_0.x86_64.rpm</a></li> </pre>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1501