soudns familiar. we have our designated update grabbing machines bypass the proxy so we don't have to circumvent the SSL/TLS security measures by having something play man-in-the-middle.
I managed to convinve the policy folks it wasn't likely my RPM downloading boxes would be pulling down porn :). Steve On Tue, Mar 11, 2014 at 07:17:21AM +0100, Florian Sachs wrote: > Hi Christina, > > I ran into the same problem recently (Client Hello, RST) , as our > Bluecoat Proxy doesn't like TLS1.2 much... > > Pulp uses python-requests to download packages and I was able to > change the behaviour there. See > https://bugzilla.redhat.com/show_bug.cgi?id=1039471#c4 for the diff. > > best regards, > florian > > On 03/10/2014 09:56 PM, Christina Plummer wrote: > > > >-- > >!!! ACHTUNG !!! > >Die elektronische DKIM-Signatur die der absendende Mailserver der > >Nachricht beigefügt hat, ist Fehlerhaft. Es handelt sich bei > >dieser Mail mit großer Wahrscheinlichkeit um eine Faelschung/Spam > >etc. mx3-phx2.redhat.com ist nicht vertrauenswuerdig! > >-- > > > >Update - after studying the packet captures, I noticed that all > >the failures (both Pulp2.3 and openssl s_client) were when TLS 1.2 > >was used. When I forced s_client to use TLS 1.0 or 1.1, the SSL > >handshake succeeded. > > > >Is there a way to force Pulp to use TLS 1.0? > > > > > >On Mon, Mar 10, 2014 at 4:14 PM, Christina Plummer > ><[email protected] <mailto:[email protected]>> wrote: > > > > We do go through a proxy, but authentication is not required on > > port 443. Both servers are on the same subnet. > > > > Pulp-2.1.3-server: > > * RHEL 6.5 x86_64 > > * yum to cdn.redhat.com <http://cdn.redhat.com> works > > * curl to cdn.redhat.com <http://cdn.redhat.com> works > > * Pulp to cdn.redhat.com <http://cdn.redhat.com> works > > > > Pulp-2.3.1-server: > > * RHEL 6.5 x86_64 > > * yum to cdn.redhat.com <http://cdn.redhat.com> works > > * curl to cdn.redhat.com <http://cdn.redhat.com> works > > * Pulp to cdn.redhat.com <http://cdn.redhat.com> fails > > > > (I couldn't get openssl s_client to work on either one, but I > > think that is probably user error or otherwise irrelevant) > > > > I did packet captures on both servers while running "pulp rpm repo > > sync run". > > On the 2.3.1 server, the SSL Client Hello does not include a > > Server Name, and is followed by a RST. > > On the 2.1.3 server, the SSL Client Hello includes a Server Name > > of cdn.redhat.com <http://cdn.redhat.com>, and is followed by a > > SSL Server Hello and the rest of the process proceeds as expected. > > > > So... why is the 2.3.1 not sending a Server Name is its SSL Client > > Hello? > > > > Thanks, > > Christina > > > > > > > > On Sat, Mar 8, 2014 at 12:54 AM, Steven Roberts > > <[email protected] <mailto:[email protected]>> wrote: > > > > I sort of recall having a similar cert issue around the same > > time I > > upgraded to 2.3 but we had two external issues: > > - our accounting group decided to change our RH account so we > > had to get > > new entitlement certs > > - a proxy had been added to out outbound connection causing a > > server > > cert issue. > > > > are you behind a proxy? thinking maybe doing a 'openssl s_client' > > to get the cert to confirm it is the one you are expecting... > > > > that socket reset sounds like one side isn't liking the SSL > > negotiation which could be a client or server issue. > > > > I would check the ssl side of things, you could also > > tcpdump/tshark > > the connection to see if one side is raising an ssl error... > > > > Steve > > > > On Fri, Mar 07, 2014 at 09:00:51PM -0500, Christina Plummer wrote: > > > Hi Steve, > > > Both the 2.1 and 2.3 Pulp servers are running RHEL 6.5. > > > > > > Thanks, > > > Christina > > > > > > Sent from mobile > > > > > > > On Mar 7, 2014, at 8:28 PM, Steven Roberts > > <[email protected] <mailto:[email protected]>> wrote: > > > > > > > > what os,arch are you running your pulp server on? > > > > > > > > I am on a RHEL 6 (64bit) box with pulp 2.3.1-1 package and > > my sync's > > > > of RH CDN are working. > > > > > > > > I have feed-cert and feed-key (both set to the same .pem I > > downloaded > > > > from RH using the instructions in the pulp guide). > > > > > > > > I did just look and I am setting the feed-ca-cert to a > > redhat-uep.pem > > > > (and I also have skipping of DRPMS as we don't use them in > > our env) > > > > > > > > Steve > > > > > > > >> On Fri, Mar 07, 2014 at 04:50:21PM -0500, Christina > > Plummer wrote: > > > >> Update - I was able to use curl to download the > > repomd.xml file that Pulp > > > >> seems to be choking on. So I am definitely thinking this > > is a Pulp 2.3 > > > >> problem. > > > >> > > > >> This worked: > > > >> sudo curl -v > > > >> > > > > https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml--cacert > > > >> /etc/rhsm/ca/redhat-uep.pem --cert > > > >> /etc/pki/entitlement/1545770057920900266.pem --key > > > >> /etc/pki/entitlement/1545770057920900266-key.pem > > > >> > > > >> > > > >> > > > >> > > > >> On Fri, Mar 7, 2014 at 4:02 PM, Christina Plummer > > <[email protected] <mailto:[email protected]>>wrote: > > > >> > > > >>> I've been working with Pulp 2.1.3 for several months, > > and decided that I > > > >>> wanted to get 2.3.1 stood up on a new server and migrate > > over to it. > > > >>> Unfortunately, I have not been able to get Pulp 2.3.1 to > > sync from the Red > > > >>> Hat channels. Here is the error I get: > > > >>> Downloading metadata... > > > >>> [\] > > > >>> ... failed > > > >>> > > > >>> HTTPSConnectionPool(host='cdn.redhat.com > > <http://cdn.redhat.com>', port=443): Max retries > > > >>> exceeded with > > > >>> url: > > /content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml > > > >>> (Caused > > > >>> by <class 'socket.error'>: [Errno 104] Connection reset > > by peer) > > > >>> > > > >>> I don't believe I have a network or > > subscription/entitlement issue, > > > >>> because I am able to use yum to update packages from > > cdn.redhat.com <http://cdn.redhat.com>. I > > > >>> set up my Pulp 2.3.1 repos in the same way as I have > > them on my 2.1.3 > > > >>> server, e.g. > > > >>> > > > >>> sudo pulp-admin rpm repo create --repo-id=live-rhel6-x86_64 > > > >>> --description="RHEL6 x86_64 Latest" > > > >>> --feed-cert=/etc/pki/entitlement/1545770057920900266.pem > > > >>> > > --feed-key=/etc/pki/entitlement/1545770057920900266-key.pem > > > > --feed=https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os > > > >>> > > > > --retain-old-count=1<https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os--retain-old-count=1>--validate=true > > --relative-url=rhel6/x86_64 --serve-http=true > > > >>> --serve-https=false > > > >>> --gpg-key=/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-legacy-release > > > >>> I am still able to sync from RHN to my Pulp 2.1.3 > > server, so there doesn't > > > >>> seem to be an issue with Red Hat itself. > > > >>> > > > >>> It seems like an SSL error, but I can't figure out what > > it would be... I > > > >>> tried adding --feed-ca-cert=/etc/rhsm/ca/redhat-uep.pem, > > but that didn't > > > >>> seem to have any effect (and hasn't been needed on my > > 2.1.3 server). > > > >>> > > > >>> Any ideas? Has anyone else got syncing from > > cdn.redhat.com <http://cdn.redhat.com> working on > > > >>> Pulp 2.3.1? > > > >>> > > > >>> Thanks, > > > >>> Christina > > > > > > > >> _______________________________________________ > > > >> Pulp-list mailing list > > > >> [email protected] <mailto:[email protected]> > > > >> https://www.redhat.com/mailman/listinfo/pulp-list > > > > > > > > > > > > > > > > > > >_______________________________________________ > >Pulp-list mailing list > >[email protected] > >https://www.redhat.com/mailman/listinfo/pulp-list > > -- > Florian Sachs > Bundesministerium für Landesverteidigung und Sport > Führungsunterstützungszentrum / IKT-Te / HW&SysSW / SE2VE > Stiftgasse 2a 1070, Wien > Postadresse: Rossauer Lände 1, 1090 Wien > Tel.: +43 50201 10 33466 > > _______________________________________________ > Pulp-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pulp-list _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
