Bug 1689852 - Unable to synchronise a repository that uses SSL certificates for authentication
Summary: Unable to synchronise a repository that uses SSL certificates for authentication
Keywords:
Status: CLOSED DUPLICATE of bug 1670276
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Repositories
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: vijsingh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-18 09:43 UTC by vijsingh
Modified: 2019-04-09 18:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-25 20:22:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description vijsingh 2019-03-18 09:43:03 UTC 
This bug was initially created as a copy of Bug #1670276

I am copying this bug because: 



Description of problem:

In Satellite 6.4, Customer unable to sync custom repository which uses custom SSL Certificate for authentication 

Version-Release number of selected component (if applicable):
Satellite 6.4 

How reproducible:
100% 

Steps to Reproduce:

1. Create a custom repository with custom SSL certificate as mentioned in the documentations 
-----
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html-single/content_management_guide/#Importing_Custom_Content
----- 

2. Sync the repo 


Actual results:

sync failed with below error: 
----
# hammer repository synchronize --id 53
[.....................................................] [100%]
No new packages.
Error: RPM1004: Error retrieving metadata: A connection error occurred
-----

The log shows below error:
-----
Downloading metadata from https://<vendor repository>
Starting new HTTPS connection (1): <vendor repository>
ERROR: Skipping requests to <vendor repository> due to repeated connection failures: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)
------

Expected results:

Sync completed successfully .

Additional info:

- After creating the repository, we can check if the custom SSL cert are being set for the repository :

-----
foreman-rake console

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_ca_cert"]

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_client_cert"]

Katello::Repository.find(<REPO ID>).importers.first["config"]["ssl_client_key"]

exit
-------

This shows :

-------

Then the following from the foreman-rake console:
Katello::Repository.find(53).importers.first["config"]["ssl_ca_cert"]
=> nil
Katello::Repository.find(53).importers.first["config"]["ssl_client_cert"]
=> nil
Katello::Repository.find(53).importers.first["config"]["ssl_client_key"]
=> nil
--------

Which means no SSL certs were set for the custom repository, for which it is failing. 

- Customer can download the repomd.xml file using the custom SSL Cert, which validate the certs are correct  :

--------
curl -v --cert /path/to/product/certs/cert.crt --key /path/to/product/certs/cert.key --proxy https://proxy.domain:3128 https://vendor.url/path/7Server/x86_64/repodata/repomd.xml
---------


Workaround : 

This work around tested and working for now: 
----------
Satellite 6 : Unable to synchronise a repository that uses SSL client certificates for authentication 
https://access.redhat.com/solutions/3626731
----------


After applying the workaround :

-----------
Katello::Repository.find(53).importers.first["config"]["ssl_ca_cert"]
=> nil
Katello::Repository.find(53).importers.first["config"]["ssl_client_cert"]
=> "-----BEGIN CERTIFICATE-----......... <REMOVED>"
Katello::Repository.find(53).importers.first["config"]["ssl_client_key"]
=> "-----BEGIN PRIVATE KEY-----......... <REMOVED>"
--------------

This shows the Custom SSL certs were set for the repository.
Note You need to log in before you can comment on or make changes to this bug.