Bug 1689852 - Unable to synchronise a repository that uses SSL certificates for authentication
Summary: Unable to synchronise a repository that uses SSL certificates for authentication
Status: CLOSED DUPLICATE of bug 1670276
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Repositories
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified vote
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: vijsingh
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-18 09:43 UTC by vijsingh
Modified: 2019-04-09 18:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-03-25 20:22:09 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description vijsingh 2019-03-18 09:43:03 UTC
This bug was initially created as a copy of Bug #1670276

I am copying this bug because: 

Description of problem:

In Satellite 6.4, Customer unable to sync custom repository which uses custom SSL Certificate for authentication 

Version-Release number of selected component (if applicable):
Satellite 6.4 

How reproducible:

Steps to Reproduce:

1. Create a custom repository with custom SSL certificate as mentioned in the documentations 

2. Sync the repo 

Actual results:

sync failed with below error: 
# hammer repository synchronize --id 53
[.....................................................] [100%]
No new packages.
Error: RPM1004: Error retrieving metadata: A connection error occurred

The log shows below error:
Downloading metadata from https://<vendor repository>
Starting new HTTPS connection (1): <vendor repository>
ERROR: Skipping requests to <vendor repository> due to repeated connection failures: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)

Expected results:

Sync completed successfully .

Additional info:

- After creating the repository, we can check if the custom SSL cert are being set for the repository :

foreman-rake console

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_ca_cert"]

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_client_cert"]

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_client_key"]


This shows :


Then the following from the foreman-rake console:
=> nil
=> nil
=> nil

Which means no SSL certs were set for the custom repository, for which it is failing. 

- Customer can download the repomd.xml file using the custom SSL Cert, which validate the certs are correct  :

curl -v --cert /path/to/product/certs/cert.crt --key /path/to/product/certs/cert.key --proxy https://proxy.domain:3128 https://vendor.url/path/7Server/x86_64/repodata/repomd.xml

Workaround : 

This work around tested and working for now: 
Satellite 6 : Unable to synchronise a repository that uses SSL client certificates for authentication 

After applying the workaround :

=> nil
=> "-----BEGIN CERTIFICATE-----......... <REMOVED>"
=> "-----BEGIN PRIVATE KEY-----......... <REMOVED>"

This shows the Custom SSL certs were set for the repository.

Note You need to log in before you can comment on or make changes to this bug.