On Tue, 2011-07-26 at 16:55 -0700, Amol Chiplunkar wrote: > On 07/25/11 10:31, Erik Trauschke wrote: > > On Sat, 2011-07-23 at 11:16 -0700, Amol Chiplunkar wrote: > > --8<-- > > > > > Can that verification happen even through the remote proxy ? > > > I presume yes, and the cert has to be configured at the actual IPS > > > repository level. > > > Is that right ? > > > > > > > No, if you run the depot behind apache you'd have to do the SSL > > verification in apache. Apache then proxies request to the depot in > > http. > > > Right. > How do I get the pkg to use the Apache cert ? > > Here is what I tried: > openssl s_client -connect <myhost>:<myport> > Copy pasted the cert and made sure it matches the one on the web > server side. > > Then copied it to /etc/certs/CA > Created a symlinc pointing to it with hash value > inside /etc/openssl/certs > > But it still says > Unable to contact valid package repository > Encountered the following error(s): > Unable to contact any configured publishers. > This is likely a network configuration problem. > Framework error: code: 60 reason: SSL certificate problem, verify that > the CA cert is OK. Details: > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed > URL: 'https://xvm-4150-9:8002/IPS'.
Ok, you have to make sure that you are not mixing up CA certificates here. You gonna have two CA certificates. One, in /etc/openssl, which can verify the server's cert (SSLCertificateFile). And another one which can verify the certificate the client presents to the server (SSLCACertificateFile). So I'm not entirely sure what exactly you are doing here. Can you give me a breakdown on which certificates you are using and where? Also, are you using a self-signed cert as your apache server cert? Erik > > > > > > > > > So you'd create a httpd.conf like this: > > --- > > SSLEngine On > > > > # Cert paths > > SSLCertificateFile /path/to/apache2/certs/server.crt > > SSLCertificateKeyFile /path/to/apache2/certs/server.key > > > > # intermediate CA cert > > SSLCertificateChainFile /path/to/apache2/certs/ca_intermediate.pem > > > > # CA certs for client verification (concatenated in one file) > > SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem > > > > # CRL (optional) > > SSLCARevocationFile /path/to/apache2/certs/crl.pem > > > > <Location /private> > > SSLVerifyClient require > > SSLVerifyDepth 1 > > # example: only certs with subject [email protected] are allowed > > SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ ) > > ProxyPass http://depot_server:12345 nocanon max=500 > > </Location> > > --- > > > > Erik > > > > > > > Thanks > > > Amol > > > > > > > > > > Brock > > > > > > > > > > > > > However, I would now expect > > > > > pkg set-publisher -G '*' -g https://Host:<secure http port> solaris > > > > > to work ! > > > > > But it errors out saying > > > > > Framework error: code: 35 reason: error:140770FC:SSL > > > > > routines:SSL23_GET_SERVER_HELLO:unknown protocol > > > > > > > > > > Wondering if it's the right set of commands ? > > > > > Is the approved-ca-cert meant to work with a reverse proxy in the > > > > > first place ?? > > > > > Because looking at the doc, it seems the cert has to be configured > > > > > with the actual IPS repo. > > > > > > > > > > > > > > > please suggest > > > > > > > > > > thx > > > > > - Amol > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Erik > > > > > > > > > > > > > > > > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56): proxy: > > > > > > > HTTP: > > > > > > > canonicalising URL //oc-4200m2-42:11000/IPSversions/0/ > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506): [client ] > > > > > > > proxy: > > > > > > > http: found worker http://oc-4200m2-42:11000/IPS for > > > > > > > http://oc-4200m2-42:11000/IPSversions/0/ > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993): Running > > > > > > > scheme http > > > > > > > handler (attempt 0) > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1966): proxy: > > > > > > > HTTP: > > > > > > > serving URL http://oc-4200m2-42:11000/IPSversions/0/ > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011): proxy: > > > > > > > HTTP: has > > > > > > > acquired connection for (oc-4200m2-42) > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067): proxy: > > > > > > > connecting > > > > > > > http://oc-4200m2-42:11000/IPSversions/0/ to oc-4200m2-42:11000 > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193): proxy: > > > > > > > connected > > > > > > > /IPSversions/0/ to oc-4200m2-42:11000 > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444): proxy: > > > > > > > HTTP: fam > > > > > > > 2 socket created to connect to oc-4200m2-42 > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576): proxy: > > > > > > > HTTP: > > > > > > > connection complete to X.X.X.X:11000 (oc-4200m2-42) > > > > > > > [Mon Jul 18 17:24:01 2011] [error] an unknown filter was not > > > > > > > added: DEFLATE > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1736): proxy: > > > > > > > start > > > > > > > body send > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1840): proxy: > > > > > > > end > > > > > > > body send > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029): proxy: > > > > > > > HTTP: has > > > > > > > released connection for (oc-4200m2-42) > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > pkg-discuss mailing list > > > > > > > [email protected] > > > > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > > > > > > > > > > > > _______________________________________________ > > > > > pkg-discuss mailing list > > > > > [email protected] > > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > > > > > > > > > _______________________________________________ > > > > pkg-discuss mailing list > > > > [email protected] > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > > > > > > > _______________________________________________ > > > pkg-discuss mailing list > > > [email protected] > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > > > > > > > > > > _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
