Thumbslug doesn't verify the cdn's ssl certificate. This is ok, because the RPMs are all signed and verified by the client, but it is not correct.
Verifying the ssl certificate of candlepin isn't needed at all. since we use oauth communication, the shared secret provides us with that identity verification (in both directions).
Fixed in thumbslug master, b2f0fc7dc. Will be in thumbslug-0.0.26 I've introduced two new config values: ssl.ca.keystore: typically candlepin's public pem cert cdn.ssl.ca.keystore: pem to verify the CDN's cert. this is installed by default to be the one to verify our hosted CDN.
To test: Happy path: - set up a SAM. (make sure it can talk to the cdn; you'll also need the new config values) - register a client to the sam, and entitle it - yum install something. it should work Unverifiable client certificate: - register a second client against a different sam - change that second client's baseurl to point to the first sam - try and install something. it should fail. Unverifiable CDN certificate: - set the value of cdn.host in /etc/thumbslug/thumbslug.conf to some other ssl capable host - try to install something on the client. you should see an http 502 error.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0544.html