Description of problem: Problem with certificates when accessing pulp repo # yum info penguin https://hp-dl580g7-02.xxx.com/pulp/repos/ACME_Corporation/testing/custom/product/repo/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)" Trying other mirror. REPRODUCER SCRIPT: #!/bin/bash K="katello -u admin -p admin" URL=http://lzap.fedorapeople.org/fakerepos/zoo4 export LC_ALL=en_US # sync zoo $K client remember --option org --value ACME_Corporation $K provider create --name provider --url $URL $K product create --provider provider --name product --url $URL --nodisc $K repo create --product product --name repo --url $URL $K repo synchronize --product product --name repo # promote zoo $K environment create --name testing --prior Locker $K changeset create --name change --environment testing $K changeset update --name change --environment testing --add_product product $K changeset promote --name change --environment testing # configure rhsm sed -i "s/^hostname\s*=.*/hostname = $(hostname)/g" /etc/rhsm/rhsm.conf sed -i 's/^prefix\s*=.*/prefix = \/katello\/api/g' /etc/rhsm/rhsm.conf sed -i 's/^port\s*=.*/port = 443/g' /etc/rhsm/rhsm.conf sed -i 's/^repo_ca_cert\s*=.*/repo_ca_cert = %(ca_cert_dir)scandlepin-ca.crt/g' /etc/rhsm/rhsm.conf sed -i "s/^baseurl\s*=.*/baseurl=https:\/\/$(hostname)\/pulp\/repos\//g" /etc/rhsm/rhsm.conf openssl x509 -outform pem -in /etc/candlepin/certs/candlepin-ca.crt -out /etc/rhsm/ca/candlepin-ca.pem # self register and subscribe POOLID=$(sudo subscription-manager list --available --all | grep PoolId | head -n1 | awk '{print $2}') # grab first pool subscription-manager register --username=admin --password=admin --force --org=ACME_Corporation --environment=testing subscription-manager subscribe --pool yum info penguin
More info: https://fedorahosted.org/pipermail/katello/2011-December/000247.html
It is a bug on Pulp side - on Fedora 16 there is new version than mod_wsgi that is provided (and required) but Pulp. This new version does not include the patch required for correct functionality of the repo authentication. Filing a BZ for pulp: https://bugzilla.redhat.com/show_bug.cgi?id=772660
mass ON_QA move
just a note: there is no need to do anything on the client side except: cp /etc/candlepin/certs/candlepin-ca.crt ./candlepin-local.pem doing all the steps with this in regard, I was able to fetch the penguin info without problem. # VERIFIED and the versions are: --- katello-0.1.230-1.git.0.7ea815b.el6.noarch katello-cli-0.1.54-1.git.0.2670189.el6.noarch pulp-0.0.265-1.el6.noarch candlepin-0.5.17-1.el6.noarch subscription-manager-0.99.6-1.el6.x86_64 python-rhsm-0.99.3-1.el6.noarch
getting rid of 6.0.0 version since that doesn't exist