-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/13/2015 12:00 PM, Cristian Falcas wrote: >> Pulp will set by default all repos to be protected. I'm trying to >> see what needs to be done in order to use a default pulp >> installation. > >> It will define the http configuration for repos with: >> WSGIAccessScript /srv/pulp/repo_auth.wsgi SSLVerifyClient >> require
It's true that the WSGIAccessScript handles all SSL requests, but it by default is permissive. To enable it, you would need to edit /etc/pulp/repo_auth.conf and set [main] --> enabled to true. Is that set to true on your system? If so, this might be your issue. Unless, of course, you are trying to use repository protection. If you are trying to use repository protection, I'm afraid you will need something like Candlepin to create the client certificates for you. Pulp itself does not generate the consumer certificates. > A wild guess on my part, but perhaps your consumer is simply > missing the certificate authority that signed the httpd server's > certificate, and is complaining about the insecure SSL connection? > If that is so, I think I can help ☺ > >> You lost me here :). I don't understand what you are saying. I >> have ca_path set.to the default value >> (/etc/pki/tls/certs/ca-bundle.crt) By default, we have verify_ssl set to true (it seems that you have set that to false, based on the pulp.repo config you provided). Since you have this set to false, it's not the issue you were running into. However, I'll try to explain what I meant a little more clearly: The consumer is connecting to Pulp via SSL. When this happens, httpd presents the consumer with its SSL certificate, and the consumer is given a chance to challenge that certificate with a nonce, to prove that the server has the corresponding private key. During this exchange, the consumer will also check that the server's certificate is signed by a certificate authority that it trusts. Since httpd uses a self-signed certificate by default, this signature validation step will fail out of the box. Some users will set verify_ssl to false, which basically disables this check, but also removes a significant piece of the protection of SSL since you are no longer verifying the identity of the Pulp server (i.e., you could be getting a MITM). Another solution is to sign the httpd certificate with a CA that the consumer trusts. You can do this by using your very own CA if you install that CA public cert on the consumer, or you can buy a signed certificate from any of the already trusted PKI vendors. In my case, I've gone the route of having my own certificate authority, so I can keep verify_ssl set to True, but I also don't have to buy a certificate. It takes a little time to learn how to do it, but once you know the ropes it's not that difficult. Besides saving money, another benefit is that I don't have to wait on a third party to have a signed certificate. In cases where you need the general public to be able to establish trust, a custom CA isn't a great solution since they won't have it installed, but I find it works well for protecting myself when I'm the only user of a service. - -- Randy Barlow -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVAxAAAAoJEIyFaKUJtmpickMP/RguJvDQrik+KNWQiyBFoA1B /8/cw0kIMVBrxeJrMyAQ1F78ULOdHUJ0Tva8EWMIP60pMR3PfKiT0jJIPjPp30Ag QblTDqkfNqb65yxYQ4rpFAezE8VH+8GWl2UFAZ6pJbwxWr/7rbTF/08dgw/qzv+f 6zTi0BNdAjrfG3Jm/mWtefbizCIwVr15ZbFoP28UsD4AsORIXj3/TMPT0xjvrelo nOHNZ6CShz0r7MtIFaRzexp/MXGLnwH9c8F15d/M0jfQbzb/V/uoqIvsAnFX2+VF On81e4BaOiggpCoKxMWZJkhgZWHhjC9reBYhZ6L88yFJhCCf9mwCC0WdTwBMCReU 9vLYd9OXAfD+PnvztYGhUC1astWSaR++lHU9ttRYG4nGsfFGhVM+iCydw2iimw7l yojej3t97XU2L5TqUEZCZTR+UcfoJWRMyu2aryKcuoU7G2f/i2+gkylROaaZvSR9 xQi08zvxaQxDpscqlqHgvyXwbsqR4xy/W++3Rlzis2XZMskafrKZtVk1INQivo+i cVIaNuu8+e3aFs74A5CsCxdAElN8wZPZOuu6i+WN+8jZYc9WkrsAQnuTw3i3cJRD RGrldtTOQCU3g0al+gCNedMO7VYdNWMyqEbh+YdKwjBQwH6CmbE3z7KoIYW3qnoT e5Q9aJ8YQeGAiY7EWXyh =/mv4 -----END PGP SIGNATURE----- _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
