Bug 878049 - spacewalk-repo-sync doesn't work over SSL & IPv6 correctly
Summary: spacewalk-repo-sync doesn't work over SSL & IPv6 correctly
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Satellite Synchronization
Version: 550
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michael Mráka
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On: 739625 742914 761596
Blocks: spaceIPv6
TreeView+ depends on / blocked
 
Reported: 2012-11-19 14:46 UTC by Lukas Pramuk
Modified: 2015-05-29 20:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 739625
Environment:
Last Closed: 2015-05-29 20:12:13 UTC


Attachments (Terms of Use)

Comment 1 Lukas Pramuk 2012-11-19 15:24:06 UTC
Description of problem:
spacewalk-repo-sync cannot connect over https +IPv6 [BAD], however:
spacewalk-repo-sync over https + IPv4 [OK]
spacewalk-repo-sync over http + IPv6 [OK]
curl over https +IPv6 [OK] 

Version-Release number of selected component (if applicable):
spacewalk-backend-tools-1.7.38-31.el6sat.noarch
spacewalk-backend-1.7.38-31.el6sat.noarch
m2crypto-0.20.2-9.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. prepare ipv6-only kvm guest
2. @guest: create some simple repo, start httpd to publish the repo via http(s)
3. @host: run spacewalk-repo-sync -c myrepo -u https://kvm/myrepo with traceback
  
Actual results:
traceback, no connection 

Expected results:
successfull connection

Additional info:

# curl -k https://kvm/myrepo/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
...

# spacewalk-repo-sync -c myrepo -u http://kvm/myrepo/
Repo URL: http://kvm/myrepo/
Packages in repo:                 4
Packages already synced:          0
Packages to sync:                 4
1/4 : NetworkManager-openswan-0.8.0-8.el6-0.x86_64
2/4 : NetworkManager-glib-0.8.1-33.el6-1.x86_64
3/4 : NetworkManager-gnome-0.8.1-33.el6-1.x86_64
4/4 : NetworkManager-0.8.1-33.el6-1.x86_64
Repo http://kvm/myrepo/ has 0 errata.
Sync completed.
Total time: 0:00:24

# spacewalk-repo-sync -c myrepo -u https://kvm/myrepo/
Traceback (most recent call last):
  File "/usr/bin/spacewalk-repo-sync", line 100, in <module>
    sys.exit(abs(main() or 0))
  File "/usr/bin/spacewalk-repo-sync", line 93, in main
    sync.sync()
  File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/reposync.py", line 100, in sync
    self.import_packages(plugin, repo_id, url)
  File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/reposync.py", line 305, in import_packages
    packages = plug.list_packages(filters)
  File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/repo_plugins/yum_src.py", line 151, in list_packages
    self.sack.populate(self.repo, 'metadata', None, 0)
  File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 165, in populate
    if self._check_db_version(repo, mydbtype):
  File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 223, in _check_db_version
    return repo._check_db_version(mdtype)
  File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1256, in _check_db_version
    repoXML = self.repoXML
  File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1455, in <lambda>
    repoXML = property(fget=lambda self: self._getRepoXML(),
  File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1451, in _getRepoXML
    raise Errors.RepoError, msg
yum.Errors.RepoError: Cannot retrieve repository metadata (repomd.xml) for repository: myrepo. Please verify its path and try again

Comment 3 Milan Zázrivec 2012-11-22 16:00:32 UTC
What's happening here is that if you're repo-syncing over https (SSL),
pycurl (which is what repo-sync -> yum libs -> urlgrabber use) returns
the following error:

'Peer certificate cannot be authenticated with known CA certificates'

This error is not properly propagated to spacewalk-repo-sync, or -- if you
will -- is being propagated to the user as the traceback shown above.

This problem can be fixed with the fix contained in bug #807000 and you'll be
able to put the following into your /etc/rhn/spacewalk-repo-sync/yum.conf:

[main]
...

[myrepo]
name=myrepo
sslverify=False

I think this still needs to be investigated closer (there's perhaps
a better solution / fix to the problem here).


Note You need to log in before you can comment on or make changes to this bug.