Description of problem: After installing katello-all and running katello-configure, pulp repos are not setup for proper certificate access. For example, /etc/pulp/pulp.conf and /etc/httpd/conf.d/pulp.conf differ on the certificate used. Version-Release number of selected component (if applicable): * candlepin-0.5.23-1.el6.src.rpm * katello-0.1.301-2.el6.src.rpm * katello-candlepin-cert-key-pair-1.0-1.src.rpm * katello-certs-tools-1.0.3-1.el6.src.rpm * katello-cli-0.1.100-2.el6.src.rpm * katello-configure-0.1.101-1.el6.src.rpm * katello-qpid-broker-key-pair-1.0-1.src.rpm * katello-qpid-client-key-pair-1.0-1.src.rpm * katello-selinux-0.1.8-1.el6.src.rpm * pulp-1.0.0-4.el6.src.rpm How reproducible: * easy Steps to Reproduce: 1. Install katello-all 2. Run katello-configure 3. Example different cert configurations in ... /etc/pulp/pulp.conf /etc/httpd/conf.d/pulp.conf /etc/pulp/repo_auth.conf Actual results: == /etc/pulp/pulp.conf == > [security] > cacert: /etc/candlepin/certs/candlepin-ca.crt == /etc/httpd/conf.d/pulp.conf > SSLCACertificateFile /etc/pki/pulp/ca.crt == /etc/pulp/repo_auth.conf == > [repos] > cert_location: /etc/pki/pulp/content > global_cert_location: /etc/pki/pulp/content > # ls -l /etc/pki/pulp/content/7e764a0e.r0 /etc/pki/pulp/content/pulp-global-repo.ca > lrwxrwxrwx. 1 root root 36 Mar 2 07:20 /etc/pki/pulp/content/7e764a0e.r0 -> /var/lib/candlepin/candlepin-crl.crl > lrwxrwxrwx. 1 root root 37 Mar 2 07:20 /etc/pki/pulp/content/pulp-global-repo.ca -> /etc/candlepin/certs/candlepin-ca.crt Expected results: * At the least, /etc/pulp/pulp.conf and /etc/httpd/conf.d/pulp.conf should point to the *same* certificate. == /etc/pulp/pulp.conf == > [security] > cacert: /etc/candlepin/certs/candlepin-ca.crt == /etc/httpd/conf.d/pulp.conf > SSLCACertificateFile /etc/candlepin/certs/candlepin-ca.crt * I'm not sure if any adjustments are needed for repo_auth.conf Additional info:
So there is no error message there. Just to clean it a bit. It's apparently unused.
These are all used and, from what I can tell, correctly set. I'll break it down by entry above: == /etc/pulp/pulp.conf == > [security] > cacert: /etc/candlepin/certs/candlepin-ca.crt From the pulp.conf itself: # full path to the CA certificate that will be used to sign # consumer and admin identification certificates. This MUST match # the value of SSLCACertificateFile in /etc/httpd/conf.d/pulp.conf The reason it must match is because Pulp creates the admin/consumer certificates and signs them with that CA, whereas Apache verifies them when they are used. If in Katello Pulp isn't creating any certificates, this specific entry probably isn't used. But I wouldn't go hacking away at Pulp's conf file, there may still be integrity checks on Pulp's config that require it to be present. == /etc/httpd/conf.d/pulp.conf > SSLCACertificateFile /etc/pki/pulp/ca.crt See above explanation. This is the Apache side of it. == /etc/pulp/repo_auth.conf == > [repos] > cert_location: /etc/pki/pulp/content > global_cert_location: /etc/pki/pulp/content > # ls -l /etc/pki/pulp/content/7e764a0e.r0 /etc/pki/pulp/content/pulp-global-repo.ca > lrwxrwxrwx. 1 root root 36 Mar 2 07:20 /etc/pki/pulp/content/7e764a0e.r0 -> /var/lib/candlepin/candlepin-crl.crl > lrwxrwxrwx. 1 root root 37 Mar 2 07:20 /etc/pki/pulp/content/pulp-global-repo.ca -> /etc/candlepin/certs/candlepin-ca.crt The above two sections refered to consumer/admin user certificates into Pulp's REST APIs. This section refers to the entitlement certificates used for repo access. Pulp (not Apache) will look in here for the CA that signed the entitlement certificate to ensure the client attempting to access the repo hasn't self-signed an entitlement in an effort to steal content. The reason this points to candlepin CAs is because it's candlepin signing the entitlement certs. My suggestion is to just leave it alone. It's not hurting anything and I can't vouch for how happy Pulp will be if you start removing expected config values (not to mention there's an ugly half-finished mechanism in the server that will add these back with defaults if they are missing, which would be really hard to debug).
Problem with configuration of SSL CA certificate in /etc/httpd/conf.d/pulp.conf has been fixed since katello-configure-0.1.102. See bz #798454. # cat /etc/httpd/conf.d/pulp.conf |grep SSLCACert SSLCACertificateFile /etc/candlepin/certs/candlepin-ca.crt According to comments above I believe /etc/pulp/repo_auth.conf does not need any adjustments
Verified: * candlepin-0.5.24-1.el6.noarch * candlepin-tomcat6-0.5.24-1.el6.noarch * katello-0.1.303-1.el6.noarch * katello-all-0.1.303-1.el6.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.0.4-1.el6.noarch * katello-cli-0.1.102-1.el6.noarch * katello-cli-common-0.1.102-1.el6.noarch * katello-common-0.1.303-1.el6.noarch * katello-configure-0.1.104-1.el6.noarch * katello-glue-candlepin-0.1.303-1.el6.noarch * katello-glue-foreman-0.1.303-1.el6.noarch * katello-glue-pulp-0.1.303-1.el6.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-0.1.8-1.el6.noarch * pulp-1.0.0-4.el6.noarch * pulp-common-1.0.0-4.el6.noarch * pulp-selinux-server-1.0.0-4.el6.noarch