In the current implementation of consumer certificates, the certificate issued to the consumer has a CN of localhost. This is causing validation to fail, rendering all consumer operations using certificates broken. Below is the error that is seen: [root@pulp httpd]# pulp-admin -u admin -p admin consumer list Traceback (most recent call last): File "/usr/bin/pulp-admin", line 30, in <module> pulpcli.PulpCore().main() File "/usr/lib/python2.6/site-packages/pulp/client/pulpcli.py", line 108, in main cmd.main() File "/usr/lib/python2.6/site-packages/pulp/client/core/basecore.py", line 110, in main self._do_core() File "/usr/lib/python2.6/site-packages/pulp/client/core/core_consumer.py", line 116, in _do_core self._list() File "/usr/lib/python2.6/site-packages/pulp/client/core/core_consumer.py", line 193, in _list cons = self.cconn.consumers() File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 308, in consumers return self.conn.request_get(method) File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 106, in request_get return self._request("GET", method) File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 90, in _request headers=self.headers) File "/usr/lib64/python2.6/httplib.py", line 898, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.6/httplib.py", line 935, in _send_request self.endheaders() File "/usr/lib64/python2.6/httplib.py", line 892, in endheaders self._send_output() File "/usr/lib64/python2.6/httplib.py", line 764, in _send_output self.send(msg) File "/usr/lib64/python2.6/httplib.py", line 723, in send self.connect() File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect self.sock.connect((self.host, self.port)) File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 184, in connect if not check(self.get_peer_cert(), self.addr[0]): File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Checker.py", line 123, in __call__ fieldName='commonName') M2Crypto.SSL.Checker.WrongHost: Peer certificate commonName does not match host, expected localhost, got pulp
Workaround: just change the /etc/pulp/client.conf config: [server] host = localhost to: [server] host = somebox.example.com that said we should be able to do this pragmatically.
*** Bug 624083 has been marked as a duplicate of this bug. ***
hrm not sure the work around really works. ( I have mentioned that in the bug#620483) Please see https://bugzilla.redhat.com/show_bug.cgi?id=624083 for more details. [root@preethi conf.d]# cat /etc/pulp/client.conf # The pulp server configuration # host : The pulp server # port : The port providing the RESTful API. # scheme : The protocol. # interval : The agent update interval [server] host = preethi.usersys.redhat.com port = 443 scheme = https interval = 240 [root@preethi conf.d]# pulp-admin -u admin -p admin consumer list Traceback (most recent call last): File "/usr/bin/pulp-admin", line 30, in <module> pulpcli.PulpCore().main() File "/usr/lib/python2.6/site-packages/pulp/client/pulpcli.py", line 108, in main cmd.main() File "/usr/lib/python2.6/site-packages/pulp/client/core/basecore.py", line 110, in main self._do_core() File "/usr/lib/python2.6/site-packages/pulp/client/core/core_consumer.py", line 116, in _do_core self._list() File "/usr/lib/python2.6/site-packages/pulp/client/core/core_consumer.py", line 193, in _list cons = self.cconn.consumers() File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 308, in consumers return self.conn.request_get(method) File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 106, in request_get return self._request("GET", method) File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 90, in _request headers=self.headers) File "/usr/lib64/python2.6/httplib.py", line 898, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.6/httplib.py", line 935, in _send_request self.endheaders() File "/usr/lib64/python2.6/httplib.py", line 892, in endheaders self._send_output() File "/usr/lib64/python2.6/httplib.py", line 764, in _send_output self.send(msg) File "/usr/lib64/python2.6/httplib.py", line 723, in send self.connect() File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect self.sock.connect((self.host, self.port)) File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 184, in connect if not check(self.get_peer_cert(), self.addr[0]): File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Checker.py", line 123, in __call__ fieldName='commonName') M2Crypto.SSL.Checker.WrongHost: Peer certificate commonName does not match host, expected preethi.usersys.redhat.com, got preethi
commit f9a0c9e03aa773f5c3675d7b9064597096cfd1bd tree 0ddeab0ae4f73f9d6f8faf3b59c30945af30da68 Removed the server cert/key from the pulp apache config. Let it default to whatever apache wants to use in ssl.conf. etc/httpd/conf.d/pulp.conf diff | blob | history etc/pki/pulp/server.crt [deleted file] blob | history etc/pki/pulp/server.key [deleted file] blob | history ----- commit ade78fe4e035e41c647dd9f5cd23f2ed124d6cc7 tree 1f427d777b32dccf18e618d5e9adf6ca39b13332 tree 626451 - better error messaging when the server cert missmatches src/pulp/client/core/core_consumer.py ----- The problem (which isn't actually a problem) is that the default apache certificates are being used. Those certificates are defaulted to the hostname of the box. The new error message (from the second commit mentioned above) should better explain what the issue is and how to fix it.
# pulp-client -u admin -p admin consumer create --id=some-consumer-id ERROR: The server hostname you have configured in /etc/pulp/ does not match the hostname returned from the Pulp server you are connecting to. You have: [localhost] configured but got: [gibson.pdx.redhat.com] from the server. Either correct the host in /etc/pulp/ or specify --server=gibson.pdx.redhat.com #
fails_qa Looks the error message mentioned above is missing [root@localhost ~]# pulp-client -u admin -p admin consumer bind --id=10.12.120.161 --repoid=repo-gpg Traceback (most recent call last): File "/usr/bin/pulp-client", line 51, in <module> client.main() File "/usr/lib/python2.6/site-packages/pulp/client/cli/base.py", line 98, in main command.main(args[1:]) File "/usr/lib/python2.6/site-packages/pulp/client/core/base.py", line 105, in main action.main(args[1:]) File "/usr/lib/python2.6/site-packages/pulp/client/core/base.py", line 189, in main self.run() File "/usr/lib/python2.6/site-packages/pulp/client/core/consumer.py", line 183, in run self.repolib.update() File "/usr/lib/python2.6/site-packages/pulp/client/repolib.py", line 67, in update return action.perform() File "/usr/lib/python2.6/site-packages/pulp/client/repolib.py", line 133, in perform for cont in self.getUniqueContent(): File "/usr/lib/python2.6/site-packages/pulp/client/repolib.py", line 156, in getUniqueContent products = self.pulp.getProducts() File "/usr/lib/python2.6/site-packages/pulp/client/repolib.py", line 92, in getProducts consumer = self.capi.consumer(cid) File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 391, in consumer consumer = self.conn.request_get(method) File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 143, in request_get return self._request("GET", method) File "/usr/lib/python2.6/site-packages/pulp/client/connection.py", line 126, in _request headers=self.headers) File "/usr/lib64/python2.6/httplib.py", line 874, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.6/httplib.py", line 911, in _send_request self.endheaders() File "/usr/lib64/python2.6/httplib.py", line 868, in endheaders self._send_output() File "/usr/lib64/python2.6/httplib.py", line 740, in _send_output self.send(msg) File "/usr/lib64/python2.6/httplib.py", line 699, in send self.connect() File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect self.sock.connect((self.host, self.port)) File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 184, in connect if not check(self.get_peer_cert(), self.addr[0]): File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Checker.py", line 123, in __call__ fieldName='commonName') M2Crypto.SSL.Checker.WrongHost: Peer certificate commonName does not match host, expected 10.11.231.129, got preethi.usersys.redhat.com
looks like this got wiped out in the refactor we did a few sprints ago. fixing
Fixed in build 0.78.
verified [root@preethi ~]# rpm -q pulp pulp-0.0.123-1.fc14.noarch [root@preethi ~]# pulp-client -u admin -p admin consumer create --id=test warning: this client is not registered; please register to continue Successfully created consumer [ test ] [server] [root@preethi ~]# cat /etc/pulp/client.conf |grep host # host : The pulp server host = localhost baseurl = https://localhost/pulp/repos openssl x509 -text -in /etc/pki/tls/certs/localhost.crt | less Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=preethi/emailAddress=root@preethi
Closing with Community Release 15 pulp-0.0.223-4.