770066 – Problem with certificates when accessing pulp repo

Bug 770066 - Problem with certificates when accessing pulp repo

Summary: Problem with certificates when accessing pulp repo

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	katello-agent
Sub Component:
Version:	6.0.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Ivan Necas
QA Contact:	Garik Khachikyan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	katello-blockers
TreeView+	depends on / blocked

Reported:	2011-12-23 09:25 UTC by Lukas Zapletal
Modified:	2019-09-25 21:08 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-22 18:16:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Lukas Zapletal 2011-12-23 09:25:12 UTC

Description of problem:

Problem with certificates when accessing pulp repo

# yum info penguin
https://hp-dl580g7-02.xxx.com/pulp/repos/ACME_Corporation/testing/custom/product/repo/repodata/repomd.xml:
[Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.


REPRODUCER SCRIPT:

#!/bin/bash
K="katello -u admin -p admin"
URL=http://lzap.fedorapeople.org/fakerepos/zoo4
export LC_ALL=en_US

# sync zoo
$K client remember --option org --value ACME_Corporation
$K provider create --name provider --url $URL
$K product create --provider provider --name product --url $URL --nodisc
$K repo create --product product --name repo --url $URL
$K repo synchronize --product product --name repo

# promote zoo
$K environment create --name testing --prior Locker
$K changeset create --name change --environment testing
$K changeset update --name change --environment testing --add_product product
$K changeset promote --name change --environment testing

# configure rhsm
sed -i "s/^hostname\s*=.*/hostname = $(hostname)/g" /etc/rhsm/rhsm.conf
sed -i 's/^prefix\s*=.*/prefix = \/katello\/api/g' /etc/rhsm/rhsm.conf
sed -i 's/^port\s*=.*/port = 443/g' /etc/rhsm/rhsm.conf
sed -i 's/^repo_ca_cert\s*=.*/repo_ca_cert = %(ca_cert_dir)scandlepin-ca.crt/g' /etc/rhsm/rhsm.conf
sed -i "s/^baseurl\s*=.*/baseurl=https:\/\/$(hostname)\/pulp\/repos\//g" /etc/rhsm/rhsm.conf
openssl x509 -outform pem -in /etc/candlepin/certs/candlepin-ca.crt -out /etc/rhsm/ca/candlepin-ca.pem

# self register and subscribe
POOLID=$(sudo subscription-manager list --available --all | grep PoolId | head -n1 | awk '{print $2}') # grab first pool
subscription-manager register --username=admin --password=admin --force --org=ACME_Corporation --environment=testing
subscription-manager subscribe --pool

yum info penguin

Comment 1 Lukas Zapletal 2011-12-23 09:28:04 UTC

More info: https://fedorahosted.org/pipermail/katello/2011-December/000247.html

Comment 2 Ivan Necas 2012-01-09 15:03:34 UTC

It is a bug on Pulp side - on Fedora 16 there is new version than mod_wsgi that is provided (and required) but Pulp. This new version does not include the patch required for correct functionality of the repo authentication. 

Filing a BZ for pulp: https://bugzilla.redhat.com/show_bug.cgi?id=772660

Comment 3 Mike McCune 2012-01-26 19:07:20 UTC

mass ON_QA move

Comment 5 Garik Khachikyan 2012-02-10 16:20:58 UTC

just a note: there is no need to do anything on the client side except:
cp /etc/candlepin/certs/candlepin-ca.crt ./candlepin-local.pem

doing all the steps with this in regard, I was able to fetch the penguin info without problem.

# VERIFIED

and the versions are:
---

katello-0.1.230-1.git.0.7ea815b.el6.noarch
katello-cli-0.1.54-1.git.0.2670189.el6.noarch
pulp-0.0.265-1.el6.noarch
candlepin-0.5.17-1.el6.noarch
subscription-manager-0.99.6-1.el6.x86_64
python-rhsm-0.99.3-1.el6.noarch

Comment 7 Mike McCune 2013-08-16 17:52:25 UTC

getting rid of 6.0.0 version since that doesn't exist

Note You need to log in before you can comment on or make changes to this bug.