Hide Forgot
Description of problem: In Satellite 6.4, Customer unable to sync custom repository which uses custom SSL Certificate for authentication Version-Release number of selected component (if applicable): Satellite 6.4 How reproducible: 100% Steps to Reproduce: 1. Create a custom repository with custom SSL certificate as mentioned in the documentations ----- https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html-single/content_management_guide/#Importing_Custom_Content ----- 2. Sync the repo Actual results: sync failed with below error: ---- # hammer repository synchronize --id 53 [.....................................................] [100%] No new packages. Error: RPM1004: Error retrieving metadata: A connection error occurred ----- The log shows below error: ----- Downloading metadata from https://<vendor repository> Starting new HTTPS connection (1): <vendor repository> ERROR: Skipping requests to <vendor repository> due to repeated connection failures: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618) ------ Expected results: Sync completed successfully . Additional info: - After creating the repository, we can check if the custom SSL cert are being set for the repository : ----- foreman-rake console Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_ca_cert"] Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_client_cert"] Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_client_key"] exit ------- This shows : ------- Then the following from the foreman-rake console: Katello::Repository.find(53).importers.first["config"]["ssl_ca_cert"] => nil Katello::Repository.find(53).importers.first["config"]["ssl_client_cert"] => nil Katello::Repository.find(53).importers.first["config"]["ssl_client_key"] => nil -------- Which means no SSL certs were set for the custom repository, for which it is failing. - Customer can download the repomd.xml file using the custom SSL Cert, which validate the certs are correct : -------- curl -v --cert /path/to/product/certs/cert.crt --key /path/to/product/certs/cert.key --proxy https://proxy.domain:3128 https://vendor.url/path/7Server/x86_64/repodata/repomd.xml --------- Workaround : This work around tested and working for now: ---------- Satellite 6 : Unable to synchronise a repository that uses SSL client certificates for authentication https://access.redhat.com/solutions/3626731 ---------- After applying the workaround : ----------- Katello::Repository.find(53).importers.first["config"]["ssl_ca_cert"] => nil Katello::Repository.find(53).importers.first["config"]["ssl_client_cert"] => "-----BEGIN CERTIFICATE-----......... <REMOVED>" Katello::Repository.find(53).importers.first["config"]["ssl_client_key"] => "-----BEGIN PRIVATE KEY-----......... <REMOVED>" -------------- This shows the Custom SSL certs were set for the repository.
Connecting redmine issue https://projects.theforeman.org/issues/26032 from this bug
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26032 has been resolved.
ON_QA Verified @Satellite 6.5 snap 20.0 Steps/Observation : 1) Created a yum repo with SSL CA cert SSL certs/ SSL CA Cert/SSL Key entries 3) Get the backend identifier of this repo and able to see using pulp-admin.
*** Bug 1689852 has been marked as a duplicate of this bug. ***
*** Bug 1676670 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:1222