Hello list, i spent the last day figuring out how a i could use pulp 1.1 with a sub-CA. We can't use a self-signed CA due to corporate policy reasons.
Pulp with a self-signed CA is piece of cake but i couldn't get client authentication with a sub-CA working. some details to my setup: 1. pulp 1.1 on rhel6 64bit 2. certificate files used - root-ca.crt (self-signed) - pulp-ca.crt (signed by root-ca), pulp-ca.key (not encrypted) - pulp.crt (signed by root-ca.crt), pulp.key (not encrypted) 3. configuration files (paths ommitted) /etc/pulp/pulp.conf: [security] cacert: pulp-ca.crt cakey: pulp-ca.key ssl_ca_certificate: root-ca.crt /etc/httpd/conf.d/pulp.conf: SSLCACertificateFile pulp-ca.crt /etc/httpd/conf.d/ssl.conf: SSLCertificateFile pulp.crt SSLCertificateKeyFile pulp.key SSLCACertificateFile pulp-ca.crt the problem is the client authentication, basic http authentication works fine. in the client.log i get: 2012-09-15 18:03:36,458 [ERROR][MainThread] main() @ command.py:228 - error: (None, 'sslv3 alert bad certificate', None) in /var/log/httpd/ssl_error_log: [Sat Sep 15 21:22:17 2012] [error] [client] Certificate Verification: Error (20): unable to get local issuer certificate [Sat Sep 15 21:22:17 2012] [error] [client] Re-negotiation handshake failed: Not accepted by client!? Before spending more an more time on the issue i like to ask if someone know for sure if it's possible or not with pulp 1.1. any hints are welcome. i've noticed it's not possible to specify a passphrase to the keys, is it planned to include that in 2.0? thanks for reading. regards, -ap _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
