Support #12368
closed
pulp-admin login on capsule causes error 500
Description
Description:
When I'm trying to login using pulp-admin on capsule I'm getting error 500.
Reproducibility: 100%
Steps to reproduce:
1. Setup new capsule with pulp
2. Install pulp-admin-client RPM on capsule
3. Add verify_ssl: False to /etc/pulp/admin/admin.conf (to [server] section)
4. Executepulp-admin login -u admin
then type password
Actual result:
An internal error occurred on the Pulp server: RequestException: POST request on /pulp/api/v2/actions/login/ failed with 500 - error signing cert request: Signature ok subject=/CN=admin:admin:5637512e762c2f1072a81bcd Getting CA Private Key CA certificate and CA private key do not match 140629082322848:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331: unable to write 'random state'
Expected result:
Successfully logged in. Session certificate will expire at ...
Additional info:
If I'll login using pulp-admin on foreman host and then copy ~/.pulp/user-cert.pem to capsule then everything works as expected (i.e. I can use pulp-admin on capsule without any limitations).
katello-agent-2.3.1-4.el7.noarch katello-certs-tools-2.3.0-4.el7.noarch katello-debug-2.3.0-6.el7.noarch katello-default-ca-1.0-1.noarch katello-installer-base-2.3.1-6.el7.noarch katello-selinux-2.2.1-1.el7.noarch katello-server-ca-1.0-2.noarch katello-service-2.3.0-6.el7.noarch pulp-admin-client-2.6.2-1.el7.noarch pulp-docker-plugins-1.0.1-1.el7.noarch pulp-katello-0.4-2.el7.noarch pulp-nodes-child-2.6.2-1.el7.noarch pulp-nodes-common-2.6.2-1.el7.noarch pulp-nodes-parent-2.6.2-1.el7.noarch pulp-puppet-plugins-2.6.2-1.el7.noarch pulp-rpm-admin-extensions-2.6.2-1.el7.noarch pulp-rpm-handlers-2.6.2-1.el7.noarch pulp-rpm-plugins-2.6.2-1.el7.noarch pulp-selinux-2.6.2-1.el7.noarch pulp-server-2.6.2-1.el7.noarch python-isodate-0.5.0-4.pulp.el7.noarch python-kombu-3.0.24-8.pulp.el7.noarch python-pulp-agent-lib-2.6.2-1.el7.noarch python-pulp-bindings-2.6.2-1.el7.noarch python-pulp-client-lib-2.6.2-1.el7.noarch python-pulp-common-2.6.2-1.el7.noarch python-pulp-docker-common-1.0.1-1.el7.noarch python-pulp-puppet-common-2.6.2-1.el7.noarch python-pulp-rpm-common-2.6.2-1.el7.noarch rubygem-smart_proxy_pulp-1.0.1-2.el7.noarch
Updated by Eric Helms about 9 years ago
- Translation missing: en.field_release set to 70
- Triaged changed from No to Yes
Updated by Justin Sherrill almost 9 years ago
- Translation missing: en.field_release changed from 70 to 86
Updated by Daniel Lobato Garcia over 8 years ago
100% reproducible - this is also causing trouble in Katello I believe. When I call subscription-manager ... --force on a host, it will try to create a Pulp Consumer using runcible and the same error will show up in journalctl.
Updated by Daniel Lobato Garcia over 8 years ago
- Tracker changed from Bug to Support
- Status changed from New to Resolved
Duh - found the reason. Pulp CA key and cert are not managed by Katello at all. In fact the ca.key set in the /etc/pulp/server.conf is wrong.
Run the following script to verify it - https://gist.github.com/dLobatog/6e6c53bca6343ae8fc37 - if it outputs one md5 key, it means all of them were signed by the same CA. But the Pulp ca key isn't signed by the same CA.
I'd say just call Pulp actions with '--username username --password password', like 'pulp-admin --username username --password password consumer list'. Or change the cakey in /etc/pulp/server.conf to point to /etc/pki/katello/private/katello-default-ca.key.