Bug 848329 - Repo authentication fails with intermediate CA
Repo authentication fails with intermediate CA
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: RHUA (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: 2.1.x
Assigned To: James Slagle
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2012-08-15 05:36 EDT by Mathias Herzog
Modified: 2017-09-06 12:06 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-09-06 12:06:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mathias Herzog 2012-08-15 05:36:37 EDT
Description of problem:
Using an intermediate  CA to sign the identity certificate and entitlement certificates will end-up in an authentication error during Repo Sync. CDS Servers are not able to authenticate for repo sync between cds and rhua.

Version-Release number of selected component (if applicable):
RHUI Infrastructure Release 2.0.2

How reproducible:
1. Create an intermediate CA and configure it as new identity certificate
2. Try to sync a CDS server. It will tell that synchronization fails and in the logs there is a http 401 Error code

i.e. create the CA as follows:
#> openssl x509 -req -days 365 -in signed_ca-intermediate.csr -CA signing_ca.crt -CAkey signing_ca.key  -extfile ext.cnf -extensions v3_req -out signed_ca-intermediate.crt

#> cat ext.cnf
[ v3_req ]
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Actual results:
rhua#> cat /var/log/httpd/ssl_access_log
<ip_addr> - /CN=Red Hat Update Infrastructure [07/Aug/2012:15:43:54 +0200] "GET //pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/optional/os/repodata/repomd.xml HTTP/1.1" 401 493

Expected results:
rhua#> cat /var/log/httpd/ssl_access_log
<ip_addr> - /CN=Red Hat Update Infrastructure [07/Aug/2012:15:40:11 +0200] "GET //pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/optional/os/repodata/repomd.xml HTTP/1.1" 200 3579

Additional Logs from CDS client
cds#> cat /var/log/pulp-cds/gofer.log
2012-08-07 15:43:54,205 [DEBUG][worker-0] _sync_repo() @ cdslib.py:331 - Configuring repository for authentication
2012-08-07 15:43:54,954 [ERROR][worker-0] sync() @ cdslib.py:181 - Error performing repo sync
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/pulp/cds/cdslib.py", line 178, in sync
    self._sync_repo(base_url, repo)
  File "/usr/lib/python2.6/site-packages/pulp/cds/cdslib.py", line 359, in _sync_repo
    fetch.fetchYumRepo(repo_path, verify_options=verify_options)
  File "/usr/lib/python2.6/site-packages/grinder/RepoFetch.py", line 144, in fetchYumRepo
  File "/usr/lib/python2.6/site-packages/grinder/RepoFetch.py", line 108, in setupYumInfo
  File "/usr/lib/python2.6/site-packages/grinder/YumInfo.py", line 343, in setUp
  File "/usr/lib/python2.6/site-packages/grinder/activeobject.py", line 82, in __call__
    return self.object(self, *args, **kwargs)
  File "/usr/lib/python2.6/site-packages/grinder/activeobject.py", line 267, in __call__
    return self.__call(method, args, kwargs)
  File "/usr/lib/python2.6/site-packages/grinder/activeobject.py", line 243, in __call
    return self.__rmi(method.name, args, kwargs)
  File "/usr/lib/python2.6/site-packages/grinder/activeobject.py", line 136, in __rmi
    raise Exception(ex)
Exception: Traceback (most recent call last):

  File "/usr/lib/python2.6/site-packages/grinder/activeobject.py", line 429, in process
    retval = method(*args, **kwargs)

  File "/usr/lib/python2.6/site-packages/grinder/YumInfo.py", line 96, in getDownloadItems

  File "/usr/lib/python2.6/site-packages/grinder/YumInfo.py", line 169, in __getRepoData
    for ftype in self.__getRepoXmlFileTypes():

  File "/usr/lib/python2.6/site-packages/grinder/YumInfo.py", line 156, in __getRepoXmlFileTypes
    return self.repo.repoXML.fileTypes()

  File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1454, in <lambda>
    repoXML = property(fget=lambda self: self._getRepoXML(),

  File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1450, in _getRepoXML
    raise Errors.RepoError, msg

RepoError: Cannot retrieve repository metadata (repomd.xml) for repository: . Please verify its path and try again
Comment 1 Mathias Herzog 2012-08-15 09:24:44 EDT
An intermediate self-signed CA doesn't make much sense. I used the openssl example only to test and reproduce the issue. In normal production environment we have an intermediate CA, signed by a real root CA. 
The behavior is the same with self-signed and real CA.
Comment 5 Bryan Kearney 2017-09-06 12:06:14 EDT
I do not see this as being fixed in the short term. I am closing this out.

Note You need to log in before you can comment on or make changes to this bug.