Bug 1670276 - Unable to synchronise a repository that uses SSL certificates for authentication
Summary: Unable to synchronise a repository that uses SSL certificates for authentication
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Repositories
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: 6.5.0
Assignee: Partha Aji
QA Contact: vijsingh
URL:
Whiteboard:
: 1676670 1689852 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-29 06:49 UTC by Ashfaqur Rahaman
Modified: 2019-11-05 22:44 UTC (History)
5 users (show)

Fixed In Version: tfm-rubygem-katello-3.10.0.28-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-14 12:39:54 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1222 None None None 2019-05-14 12:40:02 UTC
Foreman Issue Tracker 26032 'Normal' 'Closed' 'Unable to update certificates belonging to a repository' 2019-11-13 16:34:04 UTC

Description Ashfaqur Rahaman 2019-01-29 06:49:30 UTC
Description of problem:

In Satellite 6.4, Customer unable to sync custom repository which uses custom SSL Certificate for authentication 

Version-Release number of selected component (if applicable):
Satellite 6.4 

How reproducible:
100% 

Steps to Reproduce:

1. Create a custom repository with custom SSL certificate as mentioned in the documentations 
-----
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html-single/content_management_guide/#Importing_Custom_Content
----- 

2. Sync the repo 


Actual results:

sync failed with below error: 
----
# hammer repository synchronize --id 53
[.....................................................] [100%]
No new packages.
Error: RPM1004: Error retrieving metadata: A connection error occurred
-----

The log shows below error:
-----
Downloading metadata from https://<vendor repository>
Starting new HTTPS connection (1): <vendor repository>
ERROR: Skipping requests to <vendor repository> due to repeated connection failures: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)
------

Expected results:

Sync completed successfully .

Additional info:

- After creating the repository, we can check if the custom SSL cert are being set for the repository :

-----
foreman-rake console

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_ca_cert"]

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_client_cert"]

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_client_key"]

exit
-------

This shows :

-------

Then the following from the foreman-rake console:
Katello::Repository.find(53).importers.first["config"]["ssl_ca_cert"]
=> nil
Katello::Repository.find(53).importers.first["config"]["ssl_client_cert"]
=> nil
Katello::Repository.find(53).importers.first["config"]["ssl_client_key"]
=> nil
--------

Which means no SSL certs were set for the custom repository, for which it is failing. 

- Customer can download the repomd.xml file using the custom SSL Cert, which validate the certs are correct  :

--------
curl -v --cert /path/to/product/certs/cert.crt --key /path/to/product/certs/cert.key --proxy https://proxy.domain:3128 https://vendor.url/path/7Server/x86_64/repodata/repomd.xml
---------


Workaround : 

This work around tested and working for now: 
----------
Satellite 6 : Unable to synchronise a repository that uses SSL client certificates for authentication 
https://access.redhat.com/solutions/3626731
----------


After applying the workaround :

-----------
Katello::Repository.find(53).importers.first["config"]["ssl_ca_cert"]
=> nil
Katello::Repository.find(53).importers.first["config"]["ssl_client_cert"]
=> "-----BEGIN CERTIFICATE-----......... <REMOVED>"
Katello::Repository.find(53).importers.first["config"]["ssl_client_key"]
=> "-----BEGIN PRIVATE KEY-----......... <REMOVED>"
--------------

This shows the Custom SSL certs were set for the repository.

Comment 5 Partha Aji 2019-02-12 01:32:24 UTC
Connecting redmine issue https://projects.theforeman.org/issues/26032 from this bug

Comment 6 Bryan Kearney 2019-02-14 23:06:44 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26032 has been resolved.

Comment 8 vijsingh 2019-03-18 09:40:10 UTC
ON_QA Verified @Satellite 6.5 snap 20.0

Steps/Observation :

1) Created a yum repo with SSL CA cert SSL certs/ SSL CA Cert/SSL Key entries
3) Get the backend identifier of this repo and able to see using pulp-admin.

Comment 11 Brad Buckingham 2019-03-25 20:22:09 UTC
*** Bug 1689852 has been marked as a duplicate of this bug. ***

Comment 12 Pavel Moravec 2019-04-20 11:08:01 UTC
*** Bug 1676670 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2019-05-14 12:39:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222


Note You need to log in before you can comment on or make changes to this bug.