Description of problem: Followed directions here: https://fedorahosted.org/katello/wiki/GuideDebugCertificates to generate and import an ubercert. Reproducing here for history: 1. Download uber cert 2. Copy from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- inclusive to a file called key.pem 3. Copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive to a file called cert.pem 4. Run the following command to create a pkcs12 file: openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in cert.pem -inkey key.pem -out [NAME].pfx -name [NAME] Provide a password when prompted. 5. Using the preferences tab, import the resulting pfx file into your browser (Edit->Preferences->Advanced Tab -> View Certificates -> Import) 6. On the Katello server, edit the /etc/httpd/conf.d/pulp.conf file. Add the following line in the <Directory /var/www/pub/repos> Stanza: Options Indexes 7. Restart Apache on the server. 8. Point your browser at http://[FQDN]/pulp/repos/[ORG_NAME] After doing so, I still get a 304 when accessing through the browser. Accessing via curl works fine. Only error i see in apache ssl error logs is: [Tue Feb 28 14:49:45 2012] [info] Connection: Client IP: 10.11.231.171, Protocol: TLSv1, Cipher: DHE-RSA-CAMELLIA256-SHA (256/256 bits) [Tue Feb 28 14:49:45 2012] [info] [client 10.11.231.171] mod_wsgi (pid=4652, process='', application=''): Loading WSGI script '/srv/pulp/repo_auth.wsgi'. [Tue Feb 28 14:49:45 2012] [error] [client 10.11.231.171] mod_wsgi (pid=4652): Client denied by server configuration: '/var/www/pub/repos/ACME_Corporation/Library/custom/zoo/zoorepo/repodata/repomd.xml'. pulp-0.0.267-2.el6.noarch
Issue ended up being that in /etc/httpd/conf.d/pulp.conf SSLCACertificateFile was not set to the same as in /etc/pulp/pulp.conf (was not set to the candlepin certs). Fixing that fixed it.