Bug 727564 - CDS sync fails if global repo auth certs exist on pulp-server
Summary: CDS sync fails if global repo auth certs exist on pulp-server
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: nodes
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: Sprint 27
Assignee: Jeff Ortel
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-02 13:21 UTC by John Matthews
Modified: 2012-02-24 20:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-24 20:12:01 UTC


Attachments (Terms of Use)

Description John Matthews 2011-08-02 13:21:09 UTC
Description of problem:

I was unable to perform a successful CDS sync when I had existing global repo auth certs on my pulp-server.  The CDS would attempt to sync using bad global repo certs and sync would fail.  When I looked at the certs used on CDS side I saw the content of the cert was bad.  Content of the cert was it's filename.  

So '/etc/pki/content/pulp-global-repo.cert' had content of '/etc/pki/content/pulp-global-repo.cert' and not expected cert data.

It looked like the pulp-server was sending out the global_cert_bundle with the filename and not the contents of the cert.



Pulp-server had global repo certs in key/cert format:
/etc/pki/content/BACKUP/pulp-global-repo.{ca,key.cert}
Note:  These were older certs from a few months ago.

Pulp-server was sending below on sync call:
gofer.messaging.policy:INFO: policy:116 sent (cds-pulp-cds):
{
  "classname": "cdsplugin", 
  "kws": {}, 
  "args": [
    {
      "repos": [
        {
          "name": "jwm_test", 
          "publish": true, 
          "relative_path": "repo_resync", 
          "source": {
            "url": "http://jmatthews.fedorapeople.org/repo_resync/", 
            "type": "remote"
          }, 
          "_id": "jwm_test", 
          "arch": "noarch", 
          "id": "jwm_test"
        }
      ], 
      "repo_base_url": "https://jwm-devel.home//pulp/repos", 
      "repo_cert_bundles": {
        "jwm_test": null
      }, 
      "cluster_id": null, 
      "cluster_members": null, 
      "server_ca_cert": null, 
      "global_cert_bundle": {
        "ca": "/etc/pki/content/pulp-global-repo.ca", 
        "cert": "/etc/pki/content/pulp-global-repo.cert"
      }
    }
  ], 
  "method": "sync"
}

I removed the global repo auth certs on pulp-server, and CDS syncs worked.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. On pulp-server create cert for /etc/pki/content/pulp-global-repo.cert 
2. On pulp-server create ca for /etc/pki/content/pulp-global-repo.ca
3. On pulp-server disable global repo auth
4. Initiate a CDS sync
  
Actual results:
Observe CDS sync fails, further on CDS side the contents of: /etc/pki/content/pulp-global-repo.cert is incorrect, it is the filename and not actual SSL cert data.

Expected results:
CDS sync succeeds.

Additional info:
My setup with global repo auth was old, prior to when we moved from key/cert to just a cert.  Possibly what I am seeing is a result of working with an old setup?

Comment 1 Jeff Ortel 2011-08-26 13:47:03 UTC
Updated to send ca/cert bundle contents instead of file paths.

Comment 2 Jeff Ortel 2011-08-26 20:09:32 UTC
build: 0.228

Comment 3 Preethi Thomas 2011-08-30 18:27:34 UTC
verified
[root@pulp-f15 ~]# rpm -q pulp
pulp-0.0.228-1.fc15.noarch
[root@pulp-f15 ~]# 


[root@pulp-f15 ~]# pulp-admin auth enable_global_repo_auth --ca=/root/certs/ca1.crt --cert=/root/certs/pulp-f14.crt --key=/root/certs/ca1.key 
Global repository authentication enabled

[root@pulp-f15 ~]# pulp-admin cds sync --hostname=pulp-cds.usersys.redhat.com
Sync for CDS [pulp-cds.usersys.redhat.com] started
Use "cds status" to check on the progress

[root@pulp-f15 ~]# pulp-admin cds status --hostname=pulp-cds.usersys.redhat.com
+------------------------------------------+
                 CDS Status
+------------------------------------------+

Name                	pulp-cds.usersys.redhat.com
Hostname            	pulp-cds.usersys.redhat.com
Description         	None                     
Cluster             	None                     
Sync Schedule       	None                     
Repos               	None                     
Last Sync           	2011-08-30 15:24:36-04:00
Status:
   Responding       	Yes                      
   Last Heartbeat   	2011-08-30 19:24:33.996168+00:00

+------------------------------------------+
           Most Recent Sync Tasks
+------------------------------------------+

State               	Finished                 
Start Time          	2011-08-30 15:24:36-04:00
Finish Time         	2011-08-30 15:24:36-04:00

[root@pulp-f15 ~]# pulp-admin auth disable_global_repo_auth
Global repository authentication disabled

[root@pulp-f15 ~]# pulp-admin cds sync --hostname=pulp-cds.usersys.redhat.com
Sync for CDS [pulp-cds.usersys.redhat.com] started
Use "cds status" to check on the progress

[root@pulp-f15 ~]# pulp-admin cds status --hostname=pulp-cds.usersys.redhat.com
+------------------------------------------+
                 CDS Status
+------------------------------------------+

Name                	pulp-cds.usersys.redhat.com
Hostname            	pulp-cds.usersys.redhat.com
Description         	None                     
Cluster             	None                     
Sync Schedule       	None                     
Repos               	None                     
Last Sync           	2011-08-30 15:26:17-04:00
Status:
   Responding       	Yes                      
   Last Heartbeat   	2011-08-30 19:26:24.309619+00:00

+------------------------------------------+
           Most Recent Sync Tasks
+------------------------------------------+

State               	Finished                 
Start Time          	2011-08-30 15:26:17-04:00
Finish Time         	2011-08-30 15:26:17-04:00

[root@pulp-f15 ~]#

Comment 4 Preethi Thomas 2012-02-24 20:12:01 UTC
Pulp v1.0 is released
Closed Current Release.


Note You need to log in before you can comment on or make changes to this bug.