[Pulp-list] 2.5.1 update seems to break verify_ssl false?

Thu, 18 Dec 2014 03:49:55 -0800 

Hello Pulpers

I've upgraded from 2.4.0-1 to 2.5.1-1 and have hit SSL issues.

Despite having verify_ssl: false in /etc/pulp/admin/admin.conf pulp-admin
would now bomb out with errors in ~/.pulp/admin.log:

ConnectionException: (None, 'tlsv1 alert unknown ca', None)

That shouldn't happen right?

I was using a self signed certificate so to try to get around this I used a
VeriSign certificate.

Despite updating the relevant variables...

admin.conf:
ca_path: /etc/pki/tls/certs/ca-bundle.crt

server.conf
cacert: /etc/pki/pulp/new-hostname-cacert.pem
cakey: /etc/pki/pulp/new-hostname-key.pem
ssl_ca_certificate: /etc/pki/tls/certs/ca-bundle.crt

/etc/httpd/conf.d/pulp.conf:
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCertificateFile /etc/pki/pulp/new-hostname-cacert.pem
SSLCertificateKeyFile /etc/pki/pulp/new-hostname-key.pem

...and appending the intermediate certificate into the ca-bundle.crt file,
pulp-admin still gave the same exception, despite appending the
intermediary cert having fixed wget and curl, which were complaining when i
did a test grab of /pulp/repos until I did that.

I could see that ssl_error_log contained:

Thu Dec 18 10:57:15 2014] [error] [client 123.123.123.123] Certificate
Verification: Error (20): unable to get local issuer certificate
[Thu Dec 18 10:57:15 2014] [error] [client 123.123.123.123] Re-negotiation
handshake failed: Not accepted by client!?

After some googling I tried commenting out:

SSLVerifyClient optional

In /etc/httpd/conf.d/pulp.conf

That resolved the SSL Apache log error, but now I get:

The specified user does not have permission to execute the given command

admin.log:
PermissionsException: RequestException: GET request on /pulp/api/v2/tasks/
failed with 401 - Authentication with username None failed: invalid SSL
certificate.

So to summarise ... is verify_ssl broken in 2.5.1? And what have I been
doing wrong with my certificates?

Thanks!!

Paul

_______________________________________________
Pulp-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pulp-list

Reply via email to