Bug 1670276 - Unable to synchronise a repository that uses SSL certificates for authentication
Summary: Unable to synchronise a repository that uses SSL certificates for authentication
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Repositories
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified vote
Target Milestone: 6.5.0
Assignee: Partha Aji
QA Contact: vijsingh
: 1676670 1689852 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2019-01-29 06:49 UTC by Ashfaqur Rahaman
Modified: 2022-03-13 16:52 UTC (History)
5 users (show)

Fixed In Version: tfm-rubygem-katello-
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-05-14 12:39:54 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 26032 0 Normal Closed Unable to update certificates belonging to a repository 2021-01-15 20:56:49 UTC
Red Hat Product Errata RHSA-2019:1222 0 None None None 2019-05-14 12:40:02 UTC

Description Ashfaqur Rahaman 2019-01-29 06:49:30 UTC
Description of problem:

In Satellite 6.4, Customer unable to sync custom repository which uses custom SSL Certificate for authentication 

Version-Release number of selected component (if applicable):
Satellite 6.4 

How reproducible:

Steps to Reproduce:

1. Create a custom repository with custom SSL certificate as mentioned in the documentations 

2. Sync the repo 

Actual results:

sync failed with below error: 
# hammer repository synchronize --id 53
[.....................................................] [100%]
No new packages.
Error: RPM1004: Error retrieving metadata: A connection error occurred

The log shows below error:
Downloading metadata from https://<vendor repository>
Starting new HTTPS connection (1): <vendor repository>
ERROR: Skipping requests to <vendor repository> due to repeated connection failures: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)

Expected results:

Sync completed successfully .

Additional info:

- After creating the repository, we can check if the custom SSL cert are being set for the repository :

foreman-rake console

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_ca_cert"]

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_client_cert"]

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_client_key"]


This shows :


Then the following from the foreman-rake console:
=> nil
=> nil
=> nil

Which means no SSL certs were set for the custom repository, for which it is failing. 

- Customer can download the repomd.xml file using the custom SSL Cert, which validate the certs are correct  :

curl -v --cert /path/to/product/certs/cert.crt --key /path/to/product/certs/cert.key --proxy https://proxy.domain:3128 https://vendor.url/path/7Server/x86_64/repodata/repomd.xml

Workaround : 

This work around tested and working for now: 
Satellite 6 : Unable to synchronise a repository that uses SSL client certificates for authentication 

After applying the workaround :

=> nil
=> "-----BEGIN CERTIFICATE-----......... <REMOVED>"
=> "-----BEGIN PRIVATE KEY-----......... <REMOVED>"

This shows the Custom SSL certs were set for the repository.

Comment 5 Partha Aji 2019-02-12 01:32:24 UTC
Connecting redmine issue https://projects.theforeman.org/issues/26032 from this bug

Comment 6 Bryan Kearney 2019-02-14 23:06:44 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26032 has been resolved.

Comment 8 vijsingh 2019-03-18 09:40:10 UTC
ON_QA Verified @Satellite 6.5 snap 20.0

Steps/Observation :

1) Created a yum repo with SSL CA cert SSL certs/ SSL CA Cert/SSL Key entries
3) Get the backend identifier of this repo and able to see using pulp-admin.

Comment 11 Brad Buckingham 2019-03-25 20:22:09 UTC
*** Bug 1689852 has been marked as a duplicate of this bug. ***

Comment 12 Pavel Moravec 2019-04-20 11:08:01 UTC
*** Bug 1676670 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2019-05-14 12:39:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.