On 12/18/2014 06:46 AM, Paul Urwin wrote: > Hello Pulpers Hello Paul!
> I've upgraded from 2.4.0-1 to 2.5.1-1 and have hit SSL issues. > > Despite having verify_ssl: false in /etc/pulp/admin/admin.conf > pulp-admin would now bomb out with errors in ~/.pulp/admin.log: > > ConnectionException: (None, 'tlsv1 alert unknown ca', None) > > That shouldn't happen right? openssl errors are often difficult to interpret. What did the output of pulp-admin tell you when you ran into this issue? It may have been that you simply needed to log in again, but that's a bit of a wild guess on my part. > I was using a self signed certificate so to try to get around this I > used a VeriSign certificate. > > Despite updating the relevant variables... > > server.conf > cacert: /etc/pki/pulp/new-hostname-cacert.pem > cakey: /etc/pki/pulp/new-hostname-key.pem > ssl_ca_certificate: /etc/pki/tls/certs/ca-bundle.crt These three settings should not be altered, and the Pulp team has plans to deprecate them because altering them will often break Pulp. This was supposed to have been documented, but unfortunately I discovered that there was a typo in the docs. I just submitted a pull request to address the typo[0]. Essentially, these certificates are for Pulp's own internal operation and should not need to be adjusted. cacert/key are for Pulp's authentication CA certificate, not for the CA that signed the certs that httpd uses to serve Pulp. This CA is used to sign the CSRs when you call pulp-admin login, so that pulp-admin can use the user-cert.pem to identify you until the next login call. We plan to remove this with Pulp 3.0 as we hope to switch to a different authentication mechanism. ssl_ca_certificate is for handing out certificates to bound consumers so they can verify the Pulp server when communicating with it, but it suffers from a chicken-and-the-egg problem because the consumer can't get the cert from Pulp without first trusting Pulp, which is can't do without the cert so we plan to remove this as well. I recommend that you restore all three of these settings to their defaults (and ensure that the files that were originally there are still present and unaltered.) > /etc/httpd/conf.d/pulp.conf: > SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt This is the CA that will validate client certificates. It must be the same file as server.conf's cacert setting (and that must be unaltered from the Pulp install). > SSLCertificateFile /etc/pki/pulp/new-hostname-cacert.pem > SSLCertificateKeyFile /etc/pki/pulp/new-hostname-key.pem You shouldn't need these settings, I would recommend removing them. > After some googling I tried commenting out: > > SSLVerifyClient optional > > In /etc/httpd/conf.d/pulp.conf > > That resolved the SSL Apache log error, but now I get: > > The specified user does not have permission to execute the given command This is because the client certificate you are using wasn't signed by a CA that httpd trusted, so the REMOTE_USER environment variable wasn't set. > So to summarise ... is verify_ssl broken in 2.5.1? And what have I been > doing wrong with my certificates? Most of us developers have verify_ssl set to False (I personally keep it set to True to make sure that works too), and I believe our QE tests it both ways, so I am fairly confident that it works correctly. I'd suggest reverting all the SSL settings to their defaults, and try pulp-admin login again to see if that helps. Let us know how it goes! [0] https://github.com/pulp/pulp/pull/1444
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
