Hello, current version of Katello installer deploys several certificates, which are currently not uses by this backend engine. The complete list can be found here: https://fedorahosted.org/katello/wiki/Certificates#Katellopuppetinstallergenerates (chapter "Katello puppet installer generates") The idea is Katello (and it's installer) will generate all necesarry certificates for all backend engines. All will be signed with the only one CA (also generated by the Katello installer - /usr/share/katello/RHN-ORG-TRUSTED-SSL-CERT). Purpose of this task is to install current version of Katello (you can use our beaker test - I can provide you a link) and to configure the backend engine to use new Katello generated certificates. Possible outcome: 1) Only configuration change - backend engine only needs to be reconfigured. Please collect all the required steps which are needed in this BZ. 2) Configuration change + change in the backend engine code - since certificates will be signed with a different CA, some changes may be needed to get it working. Please link all possible RHBZ with this one. Once changes are done, 3) Some more certificates needs to be generated - please provide us information about what particular certificate is missing, what format is expected and what is the preferred directory. We will add new generation step in our installer. 4) None of above - let's setup a meeting where we discuss other options if there are any issues. Please cover all parts of the backend engine where certificates are involved. In case of Candlepin, the following certificates should be relevant: /etc/pki/tls/certs/httpd-ssl.crt /etc/pki/tls/certs/qpid-broker.crt /etc/pki/katello/nssdb This RHBZ is more or less a "tracking" ticket. Please contact me (lzap) if you have any questions or issues. Many thanks for help.
I believe this issue is relevant: https://bugzilla.redhat.com/show_bug.cgi?id=754728#c7
For pulp, I believe we can just either update configuration or replace pulp certificates with symlinks to installer generated certificates. To start with, here is some information on pulp certificates: ========================================== CA ========================================== Usage: To authenticate access to content and REST API: Configuration: /etc/httpd/conf.d/pulp.conf Format: PEM Eg: [security] cacert: /etc/pki/pulp/ca.crt cakey: /etc/pki/pulp/ca.key Usage: To generate user (login) and consumer certificates: Configuration: /etc/httpd/conf.d/pulp.conf Format: PEM Eg: SSLCACertificateFile /etc/pki/pulp/ca.crt ========================================== SSL Server ========================================== Usage: Web server SSL Configuration: /etc/httpd/conf.d/ssl.conf Format: PEM Eg: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateFile /etc/pki/tls/certs/localhost.crt ========================================== QPID ========================================== see: https://fedorahosted.org/pulp/wiki/QPID
@Jeff - thanks. Questions: What about this pulp-global-repo.ca? Can I symlink it to the pulp.crt? What about client configuration - how the CA is published to the client? Jeff W. reported when the pulp.crt is not self-signed it does not work (RHBZ 754728). Is Pulp supposed to work with this configuration or do you need to change it for support like that?
I updated the pulp wiki[1] page that consolidates how pulp uses certificates and how it is configured. Still looking into RHBZ:754728. Suggested configuration steps: [CA] = The candlepin CA SERVER: * Edit /etc/httpd/conf.d/pulp.conf and set: SSLCACertificateFile to the location of the [CA]. * Enable global repo auth. * Add symlink in /etc/pki/content/pulp-global-repo.ca --> [CA]. * Edit: repo_auth.conf and enable:true * QPID configuration as defined on the pulp wiki[3] using the [CA]. CONSUMER: Uses existing RHSM configuration. How the agent works is documented on the katello wiki[2]. REFERENCES: [1] https://fedorahosted.org/pulp/wiki/Certificates [2] https://fedorahosted.org/katello/wiki/KatelloAgent [3] https://fedorahosted.org/pulp/wiki/QPID
The step 2 "* Enable global repo auth." is redundant to step 4 which is more specific. Please disregard.
Hey Lukas, Do you need anything further on this? If not, I'd like to get this off my plate. If you'd like to keep it open for tacking, perhaps we can just reassign? Thanks, Jeff
Sorry. We implemented this and no changes on Pulp side are necessary.