Project

General

Profile

Actions

Bug #12841

closed

Cert mismatch for katello 2.4 RC3 in files /etc/httpd/conf.d/pulp.conf and /etc/pulp/server.conf

Added by Rodrigo Menezes over 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
Documentation
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Cert mismatch for katello 2.4 in files /etc/httpd/conf.d/pulp.conf and /etc/pulp/server.conf, this causes you not to be able to use pulp-admin

In /etc/pulp/server.conf under [security] the cacert and cakey, fields do not match what is in /etc/httpd/conf.d/pulp.conf.

[root@puppet100 ~]# pulp-admin rpm repo content errata --repo-id=Default_Organization-CentOS_7_x86_64-CentOS_7_x86_64_Extras
An error occurred attempting to contact the server. More information can be
found in the client log file ~/.pulp/admin.log.

~/.pulp/admin.log
---------------------------------------------------
2015-12-16 00:07:04,410 - ERROR - Client-side exception occurred
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/core.py", line 478, in run
exit_code = Cli.run(self, args)
File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run
exit_code = command_or_section.execute(self.prompt, remaining_args)
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/extensions.py", line 224, in execute
return self.method(*arg_list, **clean_kwargs)
File "/usr/lib/python2.7/site-packages/pulp_rpm/extensions/admin/contents.py", line 405, in errata
self.run_search([TYPE_ERRATUM], **kwargs)
File "/usr/lib/python2.7/site-packages/pulp_rpm/extensions/admin/contents.py", line 158, in run_search
units = self.context.server.repo_unit.search(repo_id, **kwargs).response_body
File "/usr/lib/python2.7/site-packages/pulp/bindings/repository.py", line 467, in search
return self.server.POST
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 100, in POST
log_request_body=log_request_body, ignore_prefix=ignore_prefix)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 152, in _request
response_code, response_body = self.server_wrapper.request(method, url, body)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 349, in request
raise exceptions.ConnectionException(None, str(err), None)
ConnectionException: (None, 'tlsv1 alert unknown ca', None)


Files

pulp.conf pulp.conf 1.17 KB Rodrigo Menezes, 12/15/2015 07:04 PM
server.conf server.conf 11.2 KB Rodrigo Menezes, 12/15/2015 07:06 PM
Actions #1

Updated by Rodrigo Menezes over 8 years ago

Just to add some more information, just checked on a Katello 2.3 deployment I have and this is what it looks like:

[security]
cacert: /etc/pki/katello/certs/katello-default-ca.crt
cakey: /etc/pki/katello/private/katello-default-ca.key
ssl_ca_certificate: /etc/pki/pulp/ssl_ca.crt

Actions #2

Updated by Eric Helms over 8 years ago

  • Triaged changed from No to Yes
Actions #3

Updated by Justin Sherrill over 8 years ago

  • translation missing: en.field_release changed from 70 to 113
Actions #4

Updated by Eric Helms about 8 years ago

  • Status changed from New to Need more information

Are you able to use username/password with pulp-admin and not hit this error? The certs were removed from server.conf intentionally to reduce our coupling and because they are essentially deprecated. If username and password specification don't work, we will investigate a further solution.

Actions #5

Updated by Rodrigo Menezes about 8 years ago

This happens when I'm logging in with a username/password. From my understanding of what is going on, it looks like "pulp-admin login -u admin --password=XYZ" generates a temporary cert based on the incorrect CA in server.conf and when it tried to communicate with Pulp through http there is a cert mismatch.

Actions #6

Updated by Justin Sherrill about 8 years ago

After a discussion we're not planning on fixing this as:

a) pulp is planning on deprecating pulp-admin login
b) it greatly simplifies our installer code and permissions to not let pulp access the CA private key

Instead we will document this error and a the workaround for the issue.

Actions #7

Updated by Rodrigo Menezes about 8 years ago

Would you be able to go more into what the workaround is, so that I may try and build it into this script beforehand: https://github.com/brdude/pulp_centos_errata_import

Actions #8

Updated by Justin Sherrill about 8 years ago

Hey Michael,

Apologies for the delay.

The workaround is to simply use

'pulp-admin -u admin -p PASSWORD subcommand'

rather than 'pulp-admin login'.

In Katello 3.0 (next version of katello expected in the next month or so), we will also generate a pulp client key at installation time which can be used by pulp-admin. To get it in the right place and form you'd simply run:

sudo cat /etc/pki/katello/certs/pulp-client.crt /etc/pki/katello/private/pulp-client.key > ~/.pulp/user-cert.pem

and then pulp-admin will work as the 'admin' user without specifying any username or password.

Actions #9

Updated by Justin Sherrill about 8 years ago

  • Category changed from 91 to Documentation
  • Status changed from Need more information to Assigned
  • Assignee set to Justin Sherrill
  • translation missing: en.field_release changed from 113 to 86
Actions #10

Updated by The Foreman Bot about 8 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/Katello/katello.org/pull/237 added
Actions #11

Updated by Justin Sherrill about 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF