Description of problem: Here is my workflow which i think covers all the steps i performed to enable repo auth.. 1. set repo_auth.conf to enabled to true # cat /etc/pulp/repo_auth.conf |grep enabled enabled: true 2. create my CA # openssl genrsa -out caPulp.key 2048 Generating RSA private key, 2048 bit long modulus ............+++ .......+++ e is 65537 (0x10001) # openssl req -new -x509 -days 365 -key caPulp.key -out caPulp.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:North Carolina Locality Name (eg, city) [Default City]:Raleigh Organization Name (eg, company) [Default Company Ltd]:RHT Organizational Unit Name (eg, section) []:ENGG Common Name (eg, your name or your server's hostname) []:Pulp Server CA Email Address []:pkilambi 3. creating my entitlement certs [root@domU-12-31-39-07-5C-DC ~]# openssl genrsa -out client.key 2048 Generating RSA private key, 2048 bit long modulus .......................................+++ .........+++ e is 65537 (0x10001) [root@domU-12-31-39-07-5C-DC ~]# cat extensions.txt [myRepo] basicConstraints=CA:FALSE 1.3.6.1.4.1.2312.9.2.0000.1.1=ASN1:UTF8:Pulp Production MyRepo x86_64 1.3.6.1.4.1.2312.9.2.0000.1.2=ASN1:UTF8:pulp-prod-myrepo-64 1.3.6.1.4.1.2312.9.2.0000.1.6=ASN1:UTF8:repos/myRepo/ [root@domU-12-31-39-07-5C-DC ~]# openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:North Carolina Locality Name (eg, city) [Default City]:Raleigh Organization Name (eg, company) [Default Company Ltd]:RHT Organizational Unit Name (eg, section) []:ENGG Common Name (eg, your name or your server's hostname) []:Pulp Entitlement Certificate Email Address []:pkilambi Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@domU-12-31-39-07-5C-DC ~]# openssl x509 -req -days 365 -CA caPulp.crt -CAkey caPulp.key -CAcreateserial -extfile extensions.txt -extensions myRepo -in client.csr -out client.crt Signature ok subject=/C=US/ST=North Carolina/L=Raleigh/O=RHT/OU=ENGG/CN=Pulp Entitlement Certificate/emailAddress=pkilambi Getting CA Private Key 4. create an auth repo [root@domU-12-31-39-07-5C-DC ~]# pulp-admin repo create --id=myRepo --name=myRepo --consumer_ca=caPulp.crt --consumer_cert=client.crt --consumer_key=client.key Successfully created repository [ myRepo ] 5. upload content [root@domU-12-31-39-07-5C-DC ~]# pulp-admin content upload --repoid=myRepo --nosig znc-0.204-3.el4.i386.rpm * Starting Content Upload operation. See /var/log/pulp/client.log for more verbose output * Performing Content Uploads to Pulp server * Performing Repo Associations Packages skipped because of filters associated with the repository myRepo : 0 * Metadata generation has been scheduled for repository [myRepo] with a task id [9565c62e-5677-11e1-9ebb-123139075cdc]; use `pulp-admin repo generate_metadata --status` to check the status. * Content Upload complete. [root@domU-12-31-39-07-5C-DC ~]# cat /etc/pki/pulp/content/pulp-protected-repos myRepo,myRepo [root@domU-12-31-39-07-5C-DC ~]# ls -l /etc/pki/pulp/content/myRepo/ total 8 -rw-r--r--. 1 apache apache 1440 Feb 13 14:18 consumer-myRepo.ca -rw-r--r--. 1 apache apache 3211 Feb 13 14:18 consumer-myRepo.cert 6. create a consumer and bind to it [root@domU-12-31-39-07-5C-DC ~]# pulp-consumer -u admin -p admin consumer register --id=prad-con warning: this client is not known to the pulp server; run 'pulp-consumer consumer register' to register it Successfully registered consumer [ prad-con ] 7. bind the consumer to the repo [root@domU-12-31-39-07-5C-DC ~]# pulp-consumer consumer bind --repoid=myRepo Successfully subscribed consumer [prad-con] to repo [myRepo] # ls -l /etc/pki/pulp/client/repo/myRepo/ total 8 -rw-r--r--. 1 root root 1440 Feb 13 14:19 ca.crt -rw-r--r--. 1 root root 3211 Feb 13 14:19 client.crt # cat /etc/yum.repos.d/pulp.repo # # Pulp Repositories # Managed by Pulp client # [myRepo] name = myRepo enabled = 1 sslverify = 1 gpgcheck = 0 sslcacert = /etc/pki/pulp/client/repo/myRepo/ca.crt sslclientcert = /etc/pki/pulp/client/repo/myRepo/client.crt baseurl = https://x86-008.build.bos.redhat.com/pulp/repos/myRepo # yum repolist Loaded plugins: amazon-id, pulp-profile-update, rhui-lb, security https://x86-008.build.bos.redhat.com/pulp/repos/myRepo/repodata/repomd.xml: [Errno 14] Peer cert cannot be verified or peer cert invalid Trying other mirror. repo id repo name status epel Extra Packages for Enterprise Linux 6 - x86_64 6,929 myRepo myRepo 0 pulp-v1-testing Pulp v1 Testing 0 rhui-us-east-1-client-config-server-6 Red Hat Update Infrastructure 2.0 Client Configuration Server 6 0 rhui-us-east-1-rhel-server-releases Red Hat Enterprise Linux Server 6 (RPMs) 0 rhui-us-east-1-rhel-server-releases-optional Red Hat Enterprise Linux Server 6 Optional (RPMs) 0 repolist: 6,929 # turn off ssl verify: [root@domU-12-31-39-07-5C-DC ~]# yum repolist Loaded plugins: amazon-id, pulp-profile-update, rhui-lb, security https://x86-008.build.bos.redhat.com/pulp/repos/myRepo/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403" Trying other mirror. repo id repo name status epel Extra Packages for Enterprise Linux 6 - x86_64 6,929 myRepo myRepo 0 pulp-v1-testing Pulp v1 Testing 0 rhui-us-east-1-client-config-server-6 Red Hat Update Infrastructure 2.0 Client Configuration Server 6 0 rhui-us-east-1-rhel-server-releases Red Hat Enterprise Linux Server 6 (RPMs) 0 rhui-us-east-1-rhel-server-releases-optional Red Hat Enterprise Linux Server 6 Optional (RPMs) 0 repolist: 6,929 Error in ssl_error_log i see couple of errors: [Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] Certificate to verify: [Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] \tsubject=</C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=Engineering/CN=x86-008.build.bos.redhat.com/emailAddress=pkilambi>, issuer=</C=US/ST=North Carolina/L=Raleigh/O=Red hat Inc/OU=Engineering/CN=x86-008.build.bos.redhat.com/emailAddress=pkilambi>, subject.as_hash=<411955543>, issuer.as_hash=<411955543>, fingerprint=<F626D0C5F27995050CC7947E7D27F529>, serial=<17116627806546844322>, version=<2>, check_ca=<0>, notBefore=<Feb 13 17:54:50 2012 GMT>, notAfter=<Feb 12 17:54:50 2013 GMT> [Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] Using a CA Chain with 1 cert(s) [Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] \tCA: subject=</C=US/ST=North Carolina/L=Raleigh/O=Red hat Inc/OU=Engineering/CN=x86-008.build.bos.redhat.com/emailAddress=pkilambi>, issuer=</C=US/ST=North Carolina/L=Raleigh/O=Red hat Inc/OU=Engineering/CN=x86-008.build.bos.redhat.com/emailAddress=pkilambi>, subject.as_hash=<411955543>, issuer.as_hash=<411955543>, fingerprint=<E6659ECD9FB90A4AE5D7DC9A747D34A2>, serial=<18341169043305500429>, version=<2>, check_ca=<1>, notBefore=<Feb 13 17:52:39 2012 GMT>, notAfter=<Feb 12 17:52:39 2013 GMT> [Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] Using a CRL Stack with 0 CRL(s)Client certificate did not match the repo consumer CA certificate [Mon Feb 13 13:39:15 2012] [error] [client 127.0.0.1] mod_wsgi (pid=2671): Client denied by server configuration: '/var/www/pub/repos/testrepo/repodata/repomd.xml'. [Mon Feb 13 14:20:04 2012] [error] [client 127.0.0.1] Request denied to destination [/pulp/repos/myRepo/repodata/repomd.xml] [Mon Feb 13 14:20:04 2012] [error] [client 127.0.0.1] mod_wsgi (pid=2670): Client denied by server configuration: '/var/www/pub/repos/myRepo/repodata/repomd.xml'.
Something seems weird with the cert outputted in the log. Based on the output from comment #0 1) the CA should have a CN of: Pulp Server CA 2) the ent cert should have a CN of: Pulp Entitlement Certificate Yet the Pulp log shows the ent cert to verify and the CA both have a CN=x86-008.build.bos.redhat.com Next step would be to run something like: openssl x509 -in /etc/pki/pulp/content/myRepo/myRepo.ca -text openssl x509 -in /etc/pki/pulp/content/myRepo/myRepo.crt -text Also, it's worth noting that a separate cert/key were used and this isn't a combined cert/key in a single PEM, that may also be a factor of this bz.
We tried this twice, the first time my CN was x86-008.build.bos.redhat.com and my result was still a 403. The log probably is showing the cert info from first run, but in both cases the result was the same. Regarding the cert/key being separate, I already verified that when the bind happens, the cert that gets put down on the consumer is a pem file. SO even though we're passing in cert/key as sparate it gets combined on the server when it gets saved. I already spoke to james about this on irc. He said he will validate it. There is a chance this is a non issue and i missed a step, but i tried it twice in a clean env and still got a 403.
I was able to reproduce the error with sslverify=1 needing to be turned off, but once I did that, I got access to the repo. As to why sslverify=0 is needed, it's because we are sending down the wrong CA cert to the client during the bind operation to use for the sslcacert value. The CA we send down is the one that signed the client entitlement certificate, not the one that signed the server's apache ssl certificate. The code that does this is in pulp/server/consumer_utils.py at line 83. That code reads the consumer_ca attribute on the repo object and sends that down as cacert in the bind data, which gets saved as sslcacert in the yum config on the client. The consumer_ca file on the repo object is the CA that's used server side to verify the client certificate. This needs to be fixed. Fixing this is going to be tricky. Mainly because we don't have know the path to the CA that signed the apache SSL certificate anywhere in pulp. This information isn't required for anything server side, and in fact you don't even have to have the CA available anywhere. Furthermore, it's possible that the server's SSL certificate is self signed in which case, there is no CA, we'd need to pass down the certificate itself. I think what we need to do is add a new config to /etc/pulp/pulp.conf to add the path to the CA that signed the server's SSL certificate. If that certificate is self signed, this can be the path to the certificate itself. We can default the value to /etc/pki/tls/certs/localhost.crt, which is the default path to the server's SSL certificate in /etc/httpd/conf.d/ssl.conf. We can then read this config and pass this certificate down to the client as cacert in the bind data.
Ok, I was able to verify the repo auth error as well even with sslverify=0 set, so now I'm looking into that.
The 403 repo auth failure is due to an error in the blog post example at http://blog.pulpproject.org/2011/05/18/pulp-protected-repositories/. The OID extension should not start with /repos. We actually strip out /pulp/repos from the beginning of the requested url, not just /pulp. As far as I can tell the repo auth code has always done this, so I'm not sure why that blog post shows what it does. I seem to have a vague recollection that the repo path on the pulp server changed, didn't it used to be under 2 repo dirs, like /pulp/repos/repos? If I generate a client certificate without the initial /repos in the extension I can get the repo auth to work (minus the sslverify issue of course).
fix from comment #3 committed to pulp master 9d2f3265ddbe9384c8060c48f9eac40333122d64
user guide changes updated at https://fedorahosted.org/pulp/wiki/UGRepoAuth
build: 0.267
verified [root@preethi chain_example]# rpm -q pulp pulp-0.0.267-1.fc15.noarch [root@preethi-el6-pulp ~]# yum repolist Loaded plugins: product-id, pulp-profile-update, security, subscription-manager Updating certificate-based repositories. pulp_f15_x86_64 | 2.9 kB 00:00 pulp_f15_x86_64/primary_db | 11 kB 00:00 rhel6 | 4.0 kB 00:00 rhel6/primary_db | 3.1 MB 00:02 rhel6_2 | 3.7 kB 00:00 rhel6_2/primary_db | 11 MB 00:03 repo id repo name status epel Extra Packages for Enterprise Linux 6 - x86_64 6,991 pulp-v1-testing Pulp v1 Testing 20 pulp_f15_x86_64 pulp_f15_x86_64 20 rhel6 Red Hat Enterprise Linux 6Server - x86_64 - RHEL6 3,529 rhel6_2 rhel6_2 6,862 repolist: 17,422 [root@preethi-el6-pulp ~]# cat /etc/yum.repos.d/ epel.repo pulp.repo rhel-pulp.repo rhel-source.repo epel-testing.repo redhat.repo rhel-pulp.repo.1 [root@preethi-el6-pulp ~]# cat /etc/yum.repos.d/pulp.repo # # Pulp Repositories # Managed by Pulp client # [rhel6_2] name = rhel6_2 enabled = 1 sslverify = 0 gpgcheck = 0 baseurl = https://preethi.usersys.redhat.com/pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/os [pulp_f15_x86_64] name = pulp_f15_x86_64 enabled = 1 sslverify = 1 gpgcheck = 0 sslcacert = /etc/pki/pulp/client/repo/pulp_f15_x86_64/ca.crt sslclientcert = /etc/pki/pulp/client/repo/pulp_f15_x86_64/client.crt baseurl = https://preethi.usersys.redhat.com/pulp/repos/repos/pulp/pulp/v1/testing/fedora-15/x86_64[root@preethi-el6-pulp ~]#
Pulp v1.0 is released Closed Current Release.
Pulp v1.0 is released.