Bug 626451 - Consumer certificates are broken
Consumer certificates are broken
Status: CLOSED CURRENTRELEASE
Product: Pulp
Classification: Community
Component: z_other (Show other bugs)
unspecified
All Linux
low Severity urgent
: ---
: ---
Assigned To: Mike McCune
wes hayutin
:
: 624083 (view as bug list)
Depends On:
Blocks: verified-to-close
  Show dependency treegraph
 
Reported: 2010-08-23 11:23 EDT by Jay Dobies
Modified: 2011-08-16 10:20 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-08-16 10:20:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jay Dobies 2010-08-23 11:23:14 EDT
In the current implementation of consumer certificates, the certificate issued to the consumer has a CN of localhost. This is causing validation to fail, rendering all consumer operations using certificates broken. Below is the error that is seen:

[root@pulp httpd]# pulp-admin -u admin -p admin consumer list
Traceback (most recent call last):
  File "/usr/bin/pulp-admin", line 30, in <module>
    pulpcli.PulpCore().main()
  File "/usr/lib/python2.6/site-packages/pulp/client/pulpcli.py", line 108, in main
    cmd.main()
  File "/usr/lib/python2.6/site-packages/pulp/client/core/basecore.py", line 110, in main
    self._do_core()
  File "/usr/lib/python2.6/site-packages/pulp/client/core/core_consumer.py", line 116, in _do_core
    self._list()
  File "/usr/lib/python2.6/site-packages/pulp/client/core/core_consumer.py", line 193, in _list
    cons = self.cconn.consumers()
  File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 308, in consumers
    return self.conn.request_get(method)
  File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 106, in request_get
    return self._request("GET", method)
  File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 90, in _request
    headers=self.headers)
  File "/usr/lib64/python2.6/httplib.py", line 898, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.6/httplib.py", line 935, in _send_request
    self.endheaders()
  File "/usr/lib64/python2.6/httplib.py", line 892, in endheaders
    self._send_output()
  File "/usr/lib64/python2.6/httplib.py", line 764, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.6/httplib.py", line 723, in send
    self.connect()
  File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 184, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Checker.py", line 123, in __call__
    fieldName='commonName')
M2Crypto.SSL.Checker.WrongHost: Peer certificate commonName does not match host, expected localhost, got pulp
Comment 1 Mike McCune 2010-08-23 11:49:28 EDT
Workaround:

just change the /etc/pulp/client.conf config:

[server]
host = localhost

to:

[server]
host = somebox.example.com

that said we should be able to do this pragmatically.
Comment 2 Pradeep Kilambi 2010-08-23 11:58:17 EDT
*** Bug 624083 has been marked as a duplicate of this bug. ***
Comment 3 Preethi Thomas 2010-08-23 13:42:44 EDT
hrm not sure the work around really works. ( I have mentioned that in the bug#620483)

Please see https://bugzilla.redhat.com/show_bug.cgi?id=624083 for more details.

[root@preethi conf.d]# cat /etc/pulp/client.conf
# The pulp server configuration
#     host : The pulp server
#     port : The port providing the RESTful API.
#   scheme : The protocol.
# interval : The agent update interval
[server]
host = preethi.usersys.redhat.com
port = 443
scheme = https
interval = 240

[root@preethi conf.d]# pulp-admin -u admin -p admin consumer list
Traceback (most recent call last):
  File "/usr/bin/pulp-admin", line 30, in <module>
    pulpcli.PulpCore().main()
  File "/usr/lib/python2.6/site-packages/pulp/client/pulpcli.py", line 108, in main
    cmd.main()
  File "/usr/lib/python2.6/site-packages/pulp/client/core/basecore.py", line 110, in main
    self._do_core()
  File "/usr/lib/python2.6/site-packages/pulp/client/core/core_consumer.py", line 116, in _do_core
    self._list()
  File "/usr/lib/python2.6/site-packages/pulp/client/core/core_consumer.py", line 193, in _list
    cons = self.cconn.consumers()
  File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 308, in consumers
    return self.conn.request_get(method)
  File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 106, in request_get
    return self._request("GET", method)
  File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 90, in _request
    headers=self.headers)
  File "/usr/lib64/python2.6/httplib.py", line 898, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.6/httplib.py", line 935, in _send_request
    self.endheaders()
  File "/usr/lib64/python2.6/httplib.py", line 892, in endheaders
    self._send_output()
  File "/usr/lib64/python2.6/httplib.py", line 764, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.6/httplib.py", line 723, in send
    self.connect()
  File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 184, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Checker.py", line 123, in __call__
    fieldName='commonName')
M2Crypto.SSL.Checker.WrongHost: Peer certificate commonName does not match host, expected preethi.usersys.redhat.com, got preethi
Comment 4 Jay Dobies 2010-08-23 15:34:16 EDT
commit	f9a0c9e03aa773f5c3675d7b9064597096cfd1bd
tree	0ddeab0ae4f73f9d6f8faf3b59c30945af30da68


Removed the server cert/key from the pulp apache config. Let it default to whatever apache wants to use in ssl.conf.


etc/httpd/conf.d/pulp.conf 		diff | blob | history
etc/pki/pulp/server.crt 	[deleted file] 	blob | history
etc/pki/pulp/server.key         [deleted file] 	blob | history

-----

commit	ade78fe4e035e41c647dd9f5cd23f2ed124d6cc7
tree	1f427d777b32dccf18e618d5e9adf6ca39b13332	tree


626451 - better error messaging when the server cert missmatches


src/pulp/client/core/core_consumer.py 	

-----

The problem (which isn't actually a problem) is that the default apache certificates are being used. Those certificates are defaulted to the hostname of the box. The new error message (from the second commit mentioned above) should better explain what the issue is and how to fix it.
Comment 5 Mike McCune 2010-08-23 17:07:58 EDT
# pulp-client -u admin -p admin consumer create --id=some-consumer-id
ERROR: The server hostname you have configured in /etc/pulp/ does not match the
hostname returned from the Pulp server you are connecting to.  

You have: [localhost] configured but got: [gibson.pdx.redhat.com] from the server.

Either correct the host in /etc/pulp/ or specify --server=gibson.pdx.redhat.com
#
Comment 6 Preethi Thomas 2010-10-26 10:54:14 EDT
fails_qa

Looks the error message mentioned above is missing

[root@localhost ~]# pulp-client -u admin -p admin consumer bind --id=10.12.120.161 --repoid=repo-gpg

Traceback (most recent call last):
  File "/usr/bin/pulp-client", line 51, in <module>
    client.main()
  File "/usr/lib/python2.6/site-packages/pulp/client/cli/base.py", line 98, in main
    command.main(args[1:])
  File "/usr/lib/python2.6/site-packages/pulp/client/core/base.py", line 105, in main
    action.main(args[1:])
  File "/usr/lib/python2.6/site-packages/pulp/client/core/base.py", line 189, in main
    self.run()
  File "/usr/lib/python2.6/site-packages/pulp/client/core/consumer.py", line 183, in run
    self.repolib.update()
  File "/usr/lib/python2.6/site-packages/pulp/client/repolib.py", line 67, in update
    return action.perform()
  File "/usr/lib/python2.6/site-packages/pulp/client/repolib.py", line 133, in perform
    for cont in self.getUniqueContent():
  File "/usr/lib/python2.6/site-packages/pulp/client/repolib.py", line 156, in getUniqueContent
    products = self.pulp.getProducts()
  File "/usr/lib/python2.6/site-packages/pulp/client/repolib.py", line 92, in getProducts
    consumer = self.capi.consumer(cid)
  File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 391, in consumer
    consumer = self.conn.request_get(method)
  File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 143, in request_get
    return self._request("GET", method)
  File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 126, in _request
    headers=self.headers)
  File "/usr/lib64/python2.6/httplib.py", line 874, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.6/httplib.py", line 911, in _send_request
    self.endheaders()
  File "/usr/lib64/python2.6/httplib.py", line 868, in endheaders
    self._send_output()
  File "/usr/lib64/python2.6/httplib.py", line 740, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.6/httplib.py", line 699, in send
    self.connect()
  File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 184, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Checker.py", line 123, in __call__
    fieldName='commonName')
M2Crypto.SSL.Checker.WrongHost: Peer certificate commonName does not match host, expected 10.11.231.129, got preethi.usersys.redhat.com
Comment 7 Mike McCune 2010-10-29 17:33:58 EDT
looks like this got wiped out in the refactor we did a few sprints ago.

fixing
Comment 8 Jay Dobies 2010-11-03 15:35:27 EDT
Fixed in build 0.78.
Comment 9 Preethi Thomas 2011-01-13 14:01:12 EST
verified
[root@preethi ~]# rpm -q pulp
pulp-0.0.123-1.fc14.noarch

[root@preethi ~]# pulp-client -u admin -p admin consumer create --id=test
warning: this client is not registered; please register to continue
Successfully created consumer [ test ]


[server]
[root@preethi ~]# cat /etc/pulp/client.conf |grep host
#     host : The pulp server
host = localhost 
baseurl = https://localhost/pulp/repos

openssl x509 -text -in /etc/pki/tls/certs/localhost.crt | less


Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=preethi/emailAddress=root@preethi
Comment 10 Preethi Thomas 2011-08-16 10:20:19 EDT
Closing with Community Release 15

pulp-0.0.223-4.

Note You need to log in before you can comment on or make changes to this bug.