Red Hat Bugzilla – Bug 798418
Cannot access protected repos via browser with imported uber cert
Last modified: 2015-03-22 21:11:20 EDT
Description of problem:
Followed directions here:
to generate and import an ubercert. Reproducing here for history:
1. Download uber cert
2. Copy from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- inclusive to a file called key.pem
3. Copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive to a file called cert.pem
4. Run the following command to create a pkcs12 file:
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in cert.pem -inkey key.pem -out [NAME].pfx -name [NAME]
Provide a password when prompted.
5. Using the preferences tab, import the resulting pfx file into your browser (Edit->Preferences->Advanced Tab -> View Certificates -> Import)
6. On the Katello server, edit the /etc/httpd/conf.d/pulp.conf file. Add the following line in the <Directory /var/www/pub/repos> Stanza:
7. Restart Apache on the server.
8. Point your browser at http://[FQDN]/pulp/repos/[ORG_NAME]
After doing so, I still get a 304 when accessing through the browser. Accessing via curl works fine.
Only error i see in apache ssl error logs is:
[Tue Feb 28 14:49:45 2012] [info] Connection: Client IP: 10.11.231.171, Protocol: TLSv1, Cipher: DHE-RSA-CAMELLIA256-SHA (256/256 bits)
[Tue Feb 28 14:49:45 2012] [info] [client 10.11.231.171] mod_wsgi (pid=4652, process='', application=''): Loading WSGI script '/srv/pulp/repo_auth.wsgi'.
[Tue Feb 28 14:49:45 2012] [error] [client 10.11.231.171] mod_wsgi (pid=4652): Client denied by server configuration: '/var/www/pub/repos/ACME_Corporation/Library/custom/zoo/zoorepo/repodata/repomd.xml'.
Issue ended up being that in /etc/httpd/conf.d/pulp.conf SSLCACertificateFile was not set to the same as in /etc/pulp/pulp.conf (was not set to the candlepin certs).
Fixing that fixed it.