Bug 798418 - Cannot access protected repos via browser with imported uber cert
Cannot access protected repos via browser with imported uber cert
Product: Pulp
Classification: Community
Component: z_other (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Sayli Karmarkar
Preethi Thomas
Depends On:
  Show dependency treegraph
Reported: 2012-02-28 15:20 EST by Justin Sherrill
Modified: 2015-03-22 21:11 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-02-28 15:58:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Justin Sherrill 2012-02-28 15:20:18 EST
Description of problem:

Followed directions here:

to generate and import an ubercert.  Reproducing here for history:

1.  Download uber cert
2.  Copy from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- inclusive to a file called key.pem
3.  Copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive to a file called cert.pem
4.  Run the following command to create a pkcs12 file:

    openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in cert.pem -inkey key.pem -out [NAME].pfx -name [NAME]

    Provide a password when prompted.
5.  Using the preferences tab, import the resulting pfx file into your browser (Edit->Preferences->Advanced Tab -> View Certificates -> Import)
6.  On the Katello server, edit the /etc/httpd/conf.d/pulp.conf file. Add the following line in the <Directory /var/www/pub/repos> Stanza:

        Options Indexes

7.    Restart Apache on the server.
8.    Point your browser at  http://[FQDN]/pulp/repos/[ORG_NAME] 

After doing so, I still get a 304 when accessing through the browser.  Accessing via curl works fine.

Only error i see in apache ssl error logs is:

[Tue Feb 28 14:49:45 2012] [info] Connection: Client IP:, Protocol: TLSv1, Cipher: DHE-RSA-CAMELLIA256-SHA (256/256 bits)
[Tue Feb 28 14:49:45 2012] [info] [client] mod_wsgi (pid=4652, process='', application=''): Loading WSGI script '/srv/pulp/repo_auth.wsgi'.
[Tue Feb 28 14:49:45 2012] [error] [client] mod_wsgi (pid=4652): Client denied by server configuration: '/var/www/pub/repos/ACME_Corporation/Library/custom/zoo/zoorepo/repodata/repomd.xml'.

Comment 1 Justin Sherrill 2012-02-28 15:58:38 EST
Issue ended up being that in /etc/httpd/conf.d/pulp.conf SSLCACertificateFile was not set to the same as in /etc/pulp/pulp.conf  (was not set to the candlepin certs).

Fixing that fixed it.

Note You need to log in before you can comment on or make changes to this bug.