Description of problem: Using an intermediate CA to sign the identity certificate and entitlement certificates will end-up in an authentication error during Repo Sync. CDS Servers are not able to authenticate for repo sync between cds and rhua. Version-Release number of selected component (if applicable): RHUI Infrastructure Release 2.0.2 How reproducible: 1. Create an intermediate CA and configure it as new identity certificate 2. Try to sync a CDS server. It will tell that synchronization fails and in the logs there is a http 401 Error code i.e. create the CA as follows: #> openssl x509 -req -days 365 -in signed_ca-intermediate.csr -CA signing_ca.crt -CAkey signing_ca.key -extfile ext.cnf -extensions v3_req -out signed_ca-intermediate.crt #> cat ext.cnf [ v3_req ] basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment Actual results: rhua#> cat /var/log/httpd/ssl_access_log [...] <ip_addr> - /CN=Red Hat Update Infrastructure [07/Aug/2012:15:43:54 +0200] "GET //pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/optional/os/repodata/repomd.xml HTTP/1.1" 401 493 [...] Expected results: rhua#> cat /var/log/httpd/ssl_access_log [...] <ip_addr> - /CN=Red Hat Update Infrastructure [07/Aug/2012:15:40:11 +0200] "GET //pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/optional/os/repodata/repomd.xml HTTP/1.1" 200 3579 [...] Additional Logs from CDS client cds#> cat /var/log/pulp-cds/gofer.log [...] 2012-08-07 15:43:54,205 [DEBUG][worker-0] _sync_repo() @ cdslib.py:331 - Configuring repository for authentication 2012-08-07 15:43:54,954 [ERROR][worker-0] sync() @ cdslib.py:181 - Error performing repo sync Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/pulp/cds/cdslib.py", line 178, in sync self._sync_repo(base_url, repo) File "/usr/lib/python2.6/site-packages/pulp/cds/cdslib.py", line 359, in _sync_repo fetch.fetchYumRepo(repo_path, verify_options=verify_options) File "/usr/lib/python2.6/site-packages/grinder/RepoFetch.py", line 144, in fetchYumRepo self.setupYumInfo() File "/usr/lib/python2.6/site-packages/grinder/RepoFetch.py", line 108, in setupYumInfo info.setUp() File "/usr/lib/python2.6/site-packages/grinder/YumInfo.py", line 343, in setUp skip=self.skip) File "/usr/lib/python2.6/site-packages/grinder/activeobject.py", line 82, in __call__ return self.object(self, *args, **kwargs) File "/usr/lib/python2.6/site-packages/grinder/activeobject.py", line 267, in __call__ return self.__call(method, args, kwargs) File "/usr/lib/python2.6/site-packages/grinder/activeobject.py", line 243, in __call return self.__rmi(method.name, args, kwargs) File "/usr/lib/python2.6/site-packages/grinder/activeobject.py", line 136, in __rmi raise Exception(ex) Exception: Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/grinder/activeobject.py", line 429, in process retval = method(*args, **kwargs) File "/usr/lib/python2.6/site-packages/grinder/YumInfo.py", line 96, in getDownloadItems self.__getRepoData() File "/usr/lib/python2.6/site-packages/grinder/YumInfo.py", line 169, in __getRepoData for ftype in self.__getRepoXmlFileTypes(): File "/usr/lib/python2.6/site-packages/grinder/YumInfo.py", line 156, in __getRepoXmlFileTypes return self.repo.repoXML.fileTypes() File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1454, in <lambda> repoXML = property(fget=lambda self: self._getRepoXML(), File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1450, in _getRepoXML raise Errors.RepoError, msg RepoError: Cannot retrieve repository metadata (repomd.xml) for repository: . Please verify its path and try again [...]
An intermediate self-signed CA doesn't make much sense. I used the openssl example only to test and reproduce the issue. In normal production environment we have an intermediate CA, signed by a real root CA. The behavior is the same with self-signed and real CA.
I do not see this as being fixed in the short term. I am closing this out.