Hi, I'm running into an issue with latest pulp rest binding unable to verify certificate if the CA cert is a chain cert. It looks like the new pulp is using code from m2crypto library that does not support this feature. Attached are 2 small scripts that will recreate this scenario.
Note: test_m2crypto.py have pieces of code yanked from pulp bindings/server.py Note2: The scripts assume pulp is installed locally. Here are the steps: 1) ./create_rhui_ssl_certs.sh - This would output a bunch of certs, the important ones are copied to ./certs dir. 2) Edit line 8 of test_m2crypto.py to point to $HOME/certs/server-ca-chain.pem 3) Edit /etc/httpd/conf.d/ssl.conf with following key-value pair: 3.1) SSLCertificateFile $HOME/certs/test-cert.pem 3.2) SSLCertificateKeyFile $HOME/certs/test-key.pem 4) Restart httpd 5) python test_m2crypto.py 6) openssl verify -verbose -CAfile $HOME/certs/server-ca-chain.pem $HOME/certs/test-cert.pem Output should look like: [root@rhua ~]# python test_m2crypto.py certificate verify failed [root@rhua ~]# openssl verify -verbose -CAfile /root/certs/server-ca-chain.pem /root/certs/test-cert.pem /root/certs/test-cert.pem: OK The version of pulp I'm using is: [root@rhua ~]# rpm -qa | grep "pulp" python-isodate-0.5.0-1.pulp.el6.noarch python-pulp-rpm-common-2.4.0-0.30.beta.el6.noarch createrepo-0.9.9-21.2.pulp.el6.noarch pulp-admin-client-2.4.0-0.30.beta.el6.noarch python-kombu-3.0.15-12.pulp.el6.noarch pulp-puppet-plugins-2.4.0-0.30.beta.el6.noarch pulp-selinux-2.4.0-0.30.beta.el6.noarch pulp-rpm-admin-extensions-2.4.0-0.30.beta.el6.noarch m2crypto-0.21.1.pulp-8.el6.x86_64 python-pulp-common-2.4.0-0.30.beta.el6.noarch python-pulp-puppet-common-2.4.0-0.30.beta.el6.noarch python-pulp-bindings-2.4.0-0.30.beta.el6.noarch python-pulp-client-lib-2.4.0-0.30.beta.el6.noarch mod_wsgi-3.4-1.pulp.el6.x86_64 pulp-server-2.4.0-0.30.beta.el6.noarch pulp-rpm-plugins-2.4.0-0.30.beta.el6.noarch pulp-puppet-admin-extensions-2.4.0-0.30.beta.el6.noarch pulp-v2-cds-server-1.0.1-1.git.3.9a1a04f.el6.noarch
create_rhui_ssl_certs.sh
Description: application/shellscript
#! /usr/bin/python
from M2Crypto import SSL, httpslib
if __name__ == "__main__":
ssl_context = SSL.Context('sslv3')
ssl_context.set_verify(SSL.verify_peer, 1)
ssl_context.load_verify_locations(cafile="./certs/server-ca-chain.pem")
ssl_context.set_session_timeout(120)
connection = httpslib.HTTPSConnection("rhua.example.com", 443, ssl_context=ssl_context)
method = "POST"
url = "/pulp/api/v2/actions/login/"
body = None
headers = {'Accept-Language': 'en-us', 'Content-Type': 'application/json', 'Authorization': 'Basic YWRtaW46YWRtaW4=', 'Accept': 'application/json'}
try:
connection.request(method, url, body=body, headers=headers)
response = connection.getresponse()
print response
except SSL.SSLError, err:
print str(err)
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
