Hide Forgot
It looks to be similar to the nss/curl issues we saw a few weeks ago. This was done using RHEL 6.1 images in Amazon: ----------- AMI ID: ami-5ef90237 AMI Label: 309956199498/RHEL-6.1-Starter-EBS-x86_64-4.1-Access [root@cds-1 rhui-1.2-5Server-i386]# cat /etc/issue Red Hat Enterprise Linux Server release 6.1 (Santiago) RPM Versions: nss-3.12.9-9.el6.x86_64 curl-7.19.7-26.el6_1.1.x86_64 libcurl-7.19.7-26.el6_1.1.x86_64 ----------- I used a base RHUI install with the following versions: Pulp: 0.208 RHUI Tools: 2.0.38 Grinder: 0.105 RHUI Manager generated an "identity" certificate the CDS uses to connect to the RHUA. This certificate is munged by RHUI Manager to remove the PKCS8 issues we saw previously. Snippet from the cert: -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA2DYRVNYjgHvMX0/+usy64usHQpIug1qazPPFWPFSuwacgU4m I am able to use wget to download the repomd.xml file from the Pulp server to the CDS, which means a number of things aren't an issue: the content is successfully in place, SSL is set up correctly, authentication isn't a problem, the CDS can resolve the server at "rhua", firewalls aren't in the way, etc. The issue is that grinder and curl cannot sync from the Pulp server (RHUA) to the CDS. It's still likely NSS/curl related, but I'm not sure of why this is once again an issue. I attached the output below of running with grinder, wget, and curl. Using Grinder: [root@cds-1 grinder]# grinder yum --label jdob -U https://rhua//pulp/repos/content/dist/rhel/rhui/server/5Server/i386/rhui/1.2/os --cacert /etc/pki/content/rhui-1.2-5Server-i386/consumer-rhui-1.2-5Server-i386.ca --cert /etc/pki/content/rhui-1.2-5Server-i386/consumer-rhui-1.2-5Server-i386.cert grinder.RepoFetch: INFO fetchYumRepo() basepath = ./ grinder.RepoFetch: INFO Fetching repo metadata... grinder.RepoFetch: ERROR Caught exception when trying to fetch content from [https://rhua//pulp/repos/content/dist/rhel/rhui/server/5Server/i386/rhui/1.2/os]: Cannot retrieve repository metadata (repomd.xml) for repository: jdob. Please verify its path and try again Traceback (most recent call last): File "/usr/bin/grinder", line 23, in <module> GrinderCLI.CLI().main() File "/usr/lib/python2.6/site-packages/grinder/GrinderCLI.py", line 415, in main cmd.main() File "/usr/lib/python2.6/site-packages/grinder/GrinderCLI.py", line 59, in main self._do_command() File "/usr/lib/python2.6/site-packages/grinder/GrinderCLI.py", line 263, in _do_command self.yfetch.fetchYumRepo() File "/usr/lib/python2.6/site-packages/grinder/RepoFetch.py", line 460, in fetchYumRepo self.yumFetch.getRepoData() File "/usr/lib/python2.6/site-packages/grinder/RepoFetch.py", line 139, in getRepoData for ftype in self.getRepoXmlFileTypes(): File "/usr/lib/python2.6/site-packages/grinder/RepoFetch.py", line 124, in getRepoXmlFileTypes return self.repo.repoXML.fileTypes() File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1454, in <lambda> repoXML = property(fget=lambda self: self._getRepoXML(), File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1450, in _getRepoXML raise Errors.RepoError, msg yum.Errors.RepoError: Cannot retrieve repository metadata (repomd.xml) for repository: jdob. Please verify its path and try again Using wget: [root@cds-1 grinder]# wget --ca-certificate /etc/pki/content/rhui-1.2-5Server-i386/consumer-rhui-1.2-5Server-i386.ca --certificate /etc/pki/content/rhui-1.2-5Server-i386/consumer-rhui-1.2-5Server-i386.cert https://rhua//pulp/repos/content/dist/rhel/rhui/server/5Server/i386/rhui/1.2/os/repodata/repomd.xml --2011-07-25 13:54:21-- https://rhua//pulp/repos/content/dist/rhel/rhui/server/5Server/i386/rhui/1.2/os/repodata/repomd.xml Resolving rhua... 10.118.22.17 Connecting to rhua|10.118.22.17|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1610 (1.6K) [text/xml] Saving to: “repomd.xml.1” 100%[================================================>] 1,610 --.-K/s in 0s 2011-07-25 13:54:21 (40.1 MB/s) - “repomd.xml.1” saved [1610/1610] [root@cds-1 grinder]# Using curl: [root@cds-1 grinder]# curl -v https://rhua//pulp/repos/content/dist/rhel/rhui/server/5Server/i386/rhui/1.2/os/repodata/repomd.xml --cacert /etc/pki/content/rhui-1.2-5Server-i386/consumer-rhui-1.2-5Server-i386.ca --cert /etc/pki/content/rhui-1.2-5Server-i386/consumer-rhui-1.2-5Server-i386.cert * About to connect() to rhua port 443 (#0) * Trying 10.118.22.17... connected * Connected to rhua (10.118.22.17) port 443 (#0) * Initializing NSS with certpath: /etc/pki/nssdb * CAfile: /etc/pki/content/rhui-1.2-5Server-i386/consumer-rhui-1.2-5Server-i386.ca CApath: none * NSS error -8054 * Closing connection #0 * SSL connect error curl: (35) SSL connect error [root@cds-1 grinder]#
False alarm (mostly). The "NSS error -8054" corresponds to the serial number of the certificate being blacklisted for some reason. In this case, that number was 2. I'm not sure why it was blacklisted since it was a fresh install, but I'm also not too worried unless we start to see this regularly. The workaround was to: - Delete the identity certificates on RHUI Manager (/etc/pki/rhui/identity.*). - Restart RHUI Manager, which will generate new identity certificates. - Use pulp-admin to add those certs to repos. This isn't something that's supported by RHUI Manager but may be added in the future.