1339243 – repo auth turned off on installation

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1339243 - repo auth turned off on installation

Summary: repo auth turned off on installation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Justin Sherrill
QA Contact:	Roman Plevka
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-24 13:03 UTC by Justin Sherrill
Modified:	2019-09-26 16:20 UTC (History)
CC List:	2 users (show)
Fixed In Version:	katello-installer-base-3.0.0.42-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-27 11:16:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	13682	0	None	None	None	2016-05-24 14:08:55 UTC

Description Justin Sherrill 2016-05-24 13:03:13 UTC

Comment 1 Justin Sherrill 2016-05-24 13:03:15 UTC

Created from redmine issue http://projects.theforeman.org/issues/13682

Comment 2 Justin Sherrill 2016-05-24 13:03:18 UTC

Upstream bug assigned to jsherril

Comment 3 Justin Sherrill 2016-05-24 13:06:27 UTC

Repo authentication was turned off due to a candlepin bug https://bugzilla.redhat.com/show_bug.cgi?id=1242310

now that that is fixed it needs to be turned back on.  What does this mean?

Currently in 6.2 beta when a client requests access to a repo on the main satellite server, as long as the cert it presents is valid (signed by the ca) it is allowed access.  It doesn't need to have a valid entitlement or anything like that (it could present its own identity cert even).

It was never turned off on the capsule, only the main satellite server.

Comment 5 Bryan Kearney 2016-05-24 16:17:47 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/13682 has been closed

Comment 6 Roman Plevka 2016-07-18 16:11:32 UTC

VERIFIED
on sat6.2. snap20.2

<pre>

# curl -v --key /etc/pki/katello/qpid_router_client.key --cert /etc/pki/katello/qpid_router_client.crt https://sat6.server.com/pulp/repos/Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/os/
* About to connect() to sat6.server.com port 443 (#0)
*   Trying 10.16.186.63... connected
* Connected to sat6.server.com (10.16.186.63) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate from file
* 	subject: CN=sat6.server.com,OU=SomeOrgUnit,O=dispatch client,ST=North Carolina,C=US
* 	start date: Jul 11 08:51:15 2016 GMT
* 	expire date: Jul 13 08:51:15 2036 GMT
* 	common name: sat6.server.com
* 	issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,ST=North Carolina,C=US
* 	start date: Jul 11 08:53:24 2016 GMT
* 	expire date: Jul 13 08:53:24 2036 GMT
* 	common name: sat6.server.com
* 	issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US
> GET /pulp/repos/Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/os/ HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: sat6.server.com
> Accept: */*
> 
* NSS: client certificate from file
* 	subject: CN=sat6.server.com,OU=SomeOrgUnit,O=dispatch client,ST=North Carolina,C=US
* 	start date: Jul 11 08:51:15 2016 GMT
* 	expire date: Jul 13 08:51:15 2036 GMT
* 	common name: sat6.server.com
* 	issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US
* NSS: client certificate from file
* 	subject: CN=sat6.server.com,OU=SomeOrgUnit,O=dispatch client,ST=North Carolina,C=US
* 	start date: Jul 11 08:51:15 2016 GMT
* 	expire date: Jul 13 08:51:15 2036 GMT
* 	common name: sat6.server.com
* 	issuer: CN=sat6.server.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US
< HTTP/1.1 403 FORBIDDEN
< Date: Mon, 18 Jul 2016 16:03:09 GMT
< Server: Apache/2.2.15 (Red Hat)
< Content-Length: 0
< Vary: Accept-Encoding
< Content-Type: text/html; charset=utf-8
< 
* Connection #0 to host sat6.server.com left intact
* Closing connection #0

</pre>

Using organization debug certifiate:

<pre>
$ curl -k --cert ~/Downloads/Default\ Organization-key-cert.pem https://sat6.server.com/pulp/repos/Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/os/ | head -n20
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Pulp Repository Index</title>
</head>
<body>
    <h1>Pulp Repository Content</h1>
    <a href="../">Parent Directory</a>
    <ul style='list-style: none outside none; font-family: monospace'>
            <li><a href="repodata/">repodata/</a></li>
            <li><a href="389-ds-base-1.3.1.6-25.el7.x86_64.rpm">389-ds-base-1.3.1.6-25.el7.x86_64.rpm</a></li>
            <li><a href="389-ds-base-1.3.1.6-26.el7_0.x86_64.rpm">389-ds-base-1.3.1.6-26.el7_0.x86_64.rpm</a></li>

</pre>

Comment 7 Bryan Kearney 2016-07-27 11:16:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501

Note You need to log in before you can comment on or make changes to this bug.