Bug 800098 - Pulp certificate configuration inconsistent
Pulp certificate configuration inconsistent
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
6.0.0
Unspecified Unspecified
unspecified Severity high (vote)
: Unspecified
: --
Assigned To: Martin Bacovsky
Og Maciel
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-05 13:10 EST by James Laska
Modified: 2014-09-18 11:32 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-22 14:30:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Laska 2012-03-05 13:10:45 EST
Description of problem:

After installing katello-all and running katello-configure, pulp repos are not setup for proper certificate access.  For example, /etc/pulp/pulp.conf and /etc/httpd/conf.d/pulp.conf differ on the certificate used.

Version-Release number of selected component (if applicable):
 * candlepin-0.5.23-1.el6.src.rpm
 * katello-0.1.301-2.el6.src.rpm
 * katello-candlepin-cert-key-pair-1.0-1.src.rpm
 * katello-certs-tools-1.0.3-1.el6.src.rpm
 * katello-cli-0.1.100-2.el6.src.rpm
 * katello-configure-0.1.101-1.el6.src.rpm
 * katello-qpid-broker-key-pair-1.0-1.src.rpm
 * katello-qpid-client-key-pair-1.0-1.src.rpm
 * katello-selinux-0.1.8-1.el6.src.rpm
 * pulp-1.0.0-4.el6.src.rpm

How reproducible:
 * easy


Steps to Reproduce:
1. Install katello-all
2. Run katello-configure
3. Example different cert configurations in ...
   /etc/pulp/pulp.conf
   /etc/httpd/conf.d/pulp.conf
   /etc/pulp/repo_auth.conf


Actual results:

== /etc/pulp/pulp.conf ==
> [security]
> cacert:  /etc/candlepin/certs/candlepin-ca.crt

== /etc/httpd/conf.d/pulp.conf
> SSLCACertificateFile /etc/pki/pulp/ca.crt

== /etc/pulp/repo_auth.conf  ==
> [repos]
> cert_location: /etc/pki/pulp/content
> global_cert_location: /etc/pki/pulp/content

> # ls -l /etc/pki/pulp/content/7e764a0e.r0 /etc/pki/pulp/content/pulp-global-repo.ca
> lrwxrwxrwx. 1 root root 36 Mar  2 07:20 /etc/pki/pulp/content/7e764a0e.r0 -> /var/lib/candlepin/candlepin-crl.crl
> lrwxrwxrwx. 1 root root 37 Mar  2 07:20 /etc/pki/pulp/content/pulp-global-repo.ca -> /etc/candlepin/certs/candlepin-ca.crt


Expected results:

 * At the least, /etc/pulp/pulp.conf and /etc/httpd/conf.d/pulp.conf should point to the *same* certificate.

== /etc/pulp/pulp.conf ==
> [security]
> cacert:  /etc/candlepin/certs/candlepin-ca.crt

== /etc/httpd/conf.d/pulp.conf
> SSLCACertificateFile /etc/candlepin/certs/candlepin-ca.crt

 * I'm not sure if any adjustments are needed for repo_auth.conf

Additional info:
Comment 1 Lukas Zapletal 2012-03-06 12:45:35 EST
So there is no error message there. Just to clean it a bit. It's apparently unused.
Comment 2 Jay Dobies 2012-03-07 14:24:20 EST
These are all used and, from what I can tell, correctly set. I'll break it down by entry above:


== /etc/pulp/pulp.conf ==
> [security]
> cacert:  /etc/candlepin/certs/candlepin-ca.crt

From the pulp.conf itself:
# full path to the CA certificate that will be used to sign
# consumer and admin identification certificates.  This MUST match
# the value of SSLCACertificateFile in /etc/httpd/conf.d/pulp.conf

The reason it must match is because Pulp creates the admin/consumer certificates and signs them with that CA, whereas Apache verifies them when they are used. If in Katello Pulp isn't creating any certificates, this specific entry probably isn't used. But I wouldn't go hacking away at Pulp's conf file, there may still be integrity checks on Pulp's config that require it to be present.



== /etc/httpd/conf.d/pulp.conf
> SSLCACertificateFile /etc/pki/pulp/ca.crt

See above explanation. This is the Apache side of it.



== /etc/pulp/repo_auth.conf  ==
> [repos]
> cert_location: /etc/pki/pulp/content
> global_cert_location: /etc/pki/pulp/content

> # ls -l /etc/pki/pulp/content/7e764a0e.r0 /etc/pki/pulp/content/pulp-global-repo.ca
> lrwxrwxrwx. 1 root root 36 Mar  2 07:20 /etc/pki/pulp/content/7e764a0e.r0 -> /var/lib/candlepin/candlepin-crl.crl
> lrwxrwxrwx. 1 root root 37 Mar  2 07:20 /etc/pki/pulp/content/pulp-global-repo.ca -> /etc/candlepin/certs/candlepin-ca.crt

The above two sections refered to consumer/admin user certificates into Pulp's REST APIs. This section refers to the entitlement certificates used for repo access. Pulp (not Apache) will look in here for the CA that signed the entitlement certificate to ensure the client attempting to access the repo hasn't self-signed an entitlement in an effort to steal content.

The reason this points to candlepin CAs is because it's candlepin signing the entitlement certs.


My suggestion is to just leave it alone. It's not hurting anything and I can't vouch for how happy Pulp will be if you start removing expected config values (not to mention there's an ugly half-finished mechanism in the server that will add these back with defaults if they are missing, which would be really hard to debug).
Comment 3 Martin Bacovsky 2012-03-14 10:26:25 EDT
Problem with configuration of SSL CA certificate in /etc/httpd/conf.d/pulp.conf has been fixed since katello-configure-0.1.102. 

See bz #798454.

# cat /etc/httpd/conf.d/pulp.conf |grep SSLCACert
SSLCACertificateFile /etc/candlepin/certs/candlepin-ca.crt

According to comments above I believe /etc/pulp/repo_auth.conf does not need any adjustments
Comment 4 Og Maciel 2012-03-14 10:56:26 EDT
Verified:
* candlepin-0.5.24-1.el6.noarch
* candlepin-tomcat6-0.5.24-1.el6.noarch
* katello-0.1.303-1.el6.noarch
* katello-all-0.1.303-1.el6.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.0.4-1.el6.noarch
* katello-cli-0.1.102-1.el6.noarch
* katello-cli-common-0.1.102-1.el6.noarch
* katello-common-0.1.303-1.el6.noarch
* katello-configure-0.1.104-1.el6.noarch
* katello-glue-candlepin-0.1.303-1.el6.noarch
* katello-glue-foreman-0.1.303-1.el6.noarch
* katello-glue-pulp-0.1.303-1.el6.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-0.1.8-1.el6.noarch
* pulp-1.0.0-4.el6.noarch
* pulp-common-1.0.0-4.el6.noarch
* pulp-selinux-server-1.0.0-4.el6.noarch

Note You need to log in before you can comment on or make changes to this bug.