FYI, here's the bz for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1129719
----- Original Message ----- > From: "David Gao" <[email protected]> > To: [email protected] > Sent: Monday, August 11, 2014 8:22:12 PM > Subject: [Pulp-list] Issues with ssl client verification using chain ca pem > > Hi, > > I'm running into an issue with latest pulp rest binding unable to verify > certificate if the CA cert is a chain cert. It looks like the new pulp is > using code from m2crypto library that does not support this feature. > Attached are 2 small scripts that will recreate this scenario. > > Note: test_m2crypto.py have pieces of code yanked from pulp > bindings/server.py > Note2: The scripts assume pulp is installed locally. > > Here are the steps: > > 1) ./create_rhui_ssl_certs.sh - This would output a bunch of certs, the > important ones are copied to ./certs dir. > 2) Edit line 8 of test_m2crypto.py to point to > $HOME/certs/server-ca-chain.pem > 3) Edit /etc/httpd/conf.d/ssl.conf with following key-value pair: > 3.1) SSLCertificateFile $HOME/certs/test-cert.pem > 3.2) SSLCertificateKeyFile $HOME/certs/test-key.pem > 4) Restart httpd > 5) python test_m2crypto.py > 6) openssl verify -verbose -CAfile $HOME/certs/server-ca-chain.pem > $HOME/certs/test-cert.pem > > > Output should look like: > > [root@rhua ~]# python test_m2crypto.py > certificate verify failed > [root@rhua ~]# openssl verify -verbose -CAfile > /root/certs/server-ca-chain.pem /root/certs/test-cert.pem > /root/certs/test-cert.pem: OK > > > The version of pulp I'm using is: > > [root@rhua ~]# rpm -qa | grep "pulp" > python-isodate-0.5.0-1.pulp.el6.noarch > python-pulp-rpm-common-2.4.0-0.30.beta.el6.noarch > createrepo-0.9.9-21.2.pulp.el6.noarch > pulp-admin-client-2.4.0-0.30.beta.el6.noarch > python-kombu-3.0.15-12.pulp.el6.noarch > pulp-puppet-plugins-2.4.0-0.30.beta.el6.noarch > pulp-selinux-2.4.0-0.30.beta.el6.noarch > pulp-rpm-admin-extensions-2.4.0-0.30.beta.el6.noarch > m2crypto-0.21.1.pulp-8.el6.x86_64 > python-pulp-common-2.4.0-0.30.beta.el6.noarch > python-pulp-puppet-common-2.4.0-0.30.beta.el6.noarch > python-pulp-bindings-2.4.0-0.30.beta.el6.noarch > python-pulp-client-lib-2.4.0-0.30.beta.el6.noarch > mod_wsgi-3.4-1.pulp.el6.x86_64 > pulp-server-2.4.0-0.30.beta.el6.noarch > pulp-rpm-plugins-2.4.0-0.30.beta.el6.noarch > pulp-puppet-admin-extensions-2.4.0-0.30.beta.el6.noarch > pulp-v2-cds-server-1.0.1-1.git.3.9a1a04f.el6.noarch > > _______________________________________________ > Pulp-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pulp-list _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
