Update - after studying the packet captures, I noticed that all the failures (both Pulp2.3 and openssl s_client) were when TLS 1.2 was used. When I forced s_client to use TLS 1.0 or 1.1, the SSL handshake succeeded.
Is there a way to force Pulp to use TLS 1.0? On Mon, Mar 10, 2014 at 4:14 PM, Christina Plummer <[email protected]>wrote: > We do go through a proxy, but authentication is not required on port 443. > Both servers are on the same subnet. > > Pulp-2.1.3-server: > * RHEL 6.5 x86_64 > * yum to cdn.redhat.com works > * curl to cdn.redhat.com works > * Pulp to cdn.redhat.com works > > Pulp-2.3.1-server: > * RHEL 6.5 x86_64 > * yum to cdn.redhat.com works > * curl to cdn.redhat.com works > * Pulp to cdn.redhat.com fails > > (I couldn't get openssl s_client to work on either one, but I think that > is probably user error or otherwise irrelevant) > > I did packet captures on both servers while running "pulp rpm repo sync > run". > On the 2.3.1 server, the SSL Client Hello does not include a Server Name, > and is followed by a RST. > On the 2.1.3 server, the SSL Client Hello includes a Server Name of > cdn.redhat.com, and is followed by a SSL Server Hello and the rest of the > process proceeds as expected. > > So... why is the 2.3.1 not sending a Server Name is its SSL Client Hello? > > Thanks, > Christina > > > > On Sat, Mar 8, 2014 at 12:54 AM, Steven Roberts <[email protected]>wrote: > >> I sort of recall having a similar cert issue around the same time I >> upgraded to 2.3 but we had two external issues: >> - our accounting group decided to change our RH account so we had to get >> new entitlement certs >> - a proxy had been added to out outbound connection causing a server >> cert issue. >> >> are you behind a proxy? thinking maybe doing a 'openssl s_client' >> to get the cert to confirm it is the one you are expecting... >> >> that socket reset sounds like one side isn't liking the SSL >> negotiation which could be a client or server issue. >> >> I would check the ssl side of things, you could also tcpdump/tshark >> the connection to see if one side is raising an ssl error... >> >> Steve >> >> On Fri, Mar 07, 2014 at 09:00:51PM -0500, Christina Plummer wrote: >> > Hi Steve, >> > Both the 2.1 and 2.3 Pulp servers are running RHEL 6.5. >> > >> > Thanks, >> > Christina >> > >> > Sent from mobile >> > >> > > On Mar 7, 2014, at 8:28 PM, Steven Roberts <[email protected]> >> wrote: >> > > >> > > what os,arch are you running your pulp server on? >> > > >> > > I am on a RHEL 6 (64bit) box with pulp 2.3.1-1 package and my sync's >> > > of RH CDN are working. >> > > >> > > I have feed-cert and feed-key (both set to the same .pem I downloaded >> > > from RH using the instructions in the pulp guide). >> > > >> > > I did just look and I am setting the feed-ca-cert to a redhat-uep.pem >> > > (and I also have skipping of DRPMS as we don't use them in our env) >> > > >> > > Steve >> > > >> > >> On Fri, Mar 07, 2014 at 04:50:21PM -0500, Christina Plummer wrote: >> > >> Update - I was able to use curl to download the repomd.xml file that >> Pulp >> > >> seems to be choking on. So I am definitely thinking this is a Pulp >> 2.3 >> > >> problem. >> > >> >> > >> This worked: >> > >> sudo curl -v >> > >> >> https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml--cacert >> > >> /etc/rhsm/ca/redhat-uep.pem --cert >> > >> /etc/pki/entitlement/1545770057920900266.pem --key >> > >> /etc/pki/entitlement/1545770057920900266-key.pem >> > >> >> > >> >> > >> >> > >> >> > >> On Fri, Mar 7, 2014 at 4:02 PM, Christina Plummer < >> [email protected]>wrote: >> > >> >> > >>> I've been working with Pulp 2.1.3 for several months, and decided >> that I >> > >>> wanted to get 2.3.1 stood up on a new server and migrate over to it. >> > >>> Unfortunately, I have not been able to get Pulp 2.3.1 to sync from >> the Red >> > >>> Hat channels. Here is the error I get: >> > >>> Downloading metadata... >> > >>> [\] >> > >>> ... failed >> > >>> >> > >>> HTTPSConnectionPool(host='cdn.redhat.com', port=443): Max retries >> > >>> exceeded with >> > >>> url: >> /content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml >> > >>> (Caused >> > >>> by <class 'socket.error'>: [Errno 104] Connection reset by peer) >> > >>> >> > >>> I don't believe I have a network or subscription/entitlement issue, >> > >>> because I am able to use yum to update packages from cdn.redhat.com. >> I >> > >>> set up my Pulp 2.3.1 repos in the same way as I have them on my >> 2.1.3 >> > >>> server, e.g. >> > >>> >> > >>> sudo pulp-admin rpm repo create --repo-id=live-rhel6-x86_64 >> > >>> --description="RHEL6 x86_64 Latest" >> > >>> --feed-cert=/etc/pki/entitlement/1545770057920900266.pem >> > >>> --feed-key=/etc/pki/entitlement/1545770057920900266-key.pem --feed= >> https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os >> > >>> --retain-old-count=1< >> https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os--retain-old-count=1>--validate=true >> --relative-url=rhel6/x86_64 --serve-http=true >> > >>> --serve-https=false >> > >>> --gpg-key=/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-legacy-release >> > >>> I am still able to sync from RHN to my Pulp 2.1.3 server, so there >> doesn't >> > >>> seem to be an issue with Red Hat itself. >> > >>> >> > >>> It seems like an SSL error, but I can't figure out what it would >> be... I >> > >>> tried adding --feed-ca-cert=/etc/rhsm/ca/redhat-uep.pem, but that >> didn't >> > >>> seem to have any effect (and hasn't been needed on my 2.1.3 server). >> > >>> >> > >>> Any ideas? Has anyone else got syncing from cdn.redhat.comworking on >> > >>> Pulp 2.3.1? >> > >>> >> > >>> Thanks, >> > >>> Christina >> > > >> > >> _______________________________________________ >> > >> Pulp-list mailing list >> > >> [email protected] >> > >> https://www.redhat.com/mailman/listinfo/pulp-list >> > > >> > >> > >
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
