So there is no error message there. Just to clean it a bit. It's apparently unused.

These are all used and, from what I can tell, correctly set. I'll break it down by entry above:


== /etc/pulp/pulp.conf ==
> [security]
> cacert:  /etc/candlepin/certs/candlepin-ca.crt

From the pulp.conf itself:
# full path to the CA certificate that will be used to sign
# consumer and admin identification certificates.  This MUST match
# the value of SSLCACertificateFile in /etc/httpd/conf.d/pulp.conf

The reason it must match is because Pulp creates the admin/consumer certificates and signs them with that CA, whereas Apache verifies them when they are used. If in Katello Pulp isn't creating any certificates, this specific entry probably isn't used. But I wouldn't go hacking away at Pulp's conf file, there may still be integrity checks on Pulp's config that require it to be present.



== /etc/httpd/conf.d/pulp.conf
> SSLCACertificateFile /etc/pki/pulp/ca.crt

See above explanation. This is the Apache side of it.



== /etc/pulp/repo_auth.conf  ==
> [repos]
> cert_location: /etc/pki/pulp/content
> global_cert_location: /etc/pki/pulp/content

> # ls -l /etc/pki/pulp/content/7e764a0e.r0 /etc/pki/pulp/content/pulp-global-repo.ca
> lrwxrwxrwx. 1 root root 36 Mar  2 07:20 /etc/pki/pulp/content/7e764a0e.r0 -> /var/lib/candlepin/candlepin-crl.crl
> lrwxrwxrwx. 1 root root 37 Mar  2 07:20 /etc/pki/pulp/content/pulp-global-repo.ca -> /etc/candlepin/certs/candlepin-ca.crt

The above two sections refered to consumer/admin user certificates into Pulp's REST APIs. This section refers to the entitlement certificates used for repo access. Pulp (not Apache) will look in here for the CA that signed the entitlement certificate to ensure the client attempting to access the repo hasn't self-signed an entitlement in an effort to steal content.

The reason this points to candlepin CAs is because it's candlepin signing the entitlement certs.


My suggestion is to just leave it alone. It's not hurting anything and I can't vouch for how happy Pulp will be if you start removing expected config values (not to mention there's an ugly half-finished mechanism in the server that will add these back with defaults if they are missing, which would be really hard to debug).

Problem with configuration of SSL CA certificate in /etc/httpd/conf.d/pulp.conf has been fixed since katello-configure-0.1.102. 

See bz #798454.

# cat /etc/httpd/conf.d/pulp.conf |grep SSLCACert
SSLCACertificateFile /etc/candlepin/certs/candlepin-ca.crt

According to comments above I believe /etc/pulp/repo_auth.conf does not need any adjustments

Verified:
* candlepin-0.5.24-1.el6.noarch
* candlepin-tomcat6-0.5.24-1.el6.noarch
* katello-0.1.303-1.el6.noarch
* katello-all-0.1.303-1.el6.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.0.4-1.el6.noarch
* katello-cli-0.1.102-1.el6.noarch
* katello-cli-common-0.1.102-1.el6.noarch
* katello-common-0.1.303-1.el6.noarch
* katello-configure-0.1.104-1.el6.noarch
* katello-glue-candlepin-0.1.303-1.el6.noarch
* katello-glue-foreman-0.1.303-1.el6.noarch
* katello-glue-pulp-0.1.303-1.el6.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-0.1.8-1.el6.noarch
* pulp-1.0.0-4.el6.noarch
* pulp-common-1.0.0-4.el6.noarch
* pulp-selinux-server-1.0.0-4.el6.noarch