Project

General

Profile

Actions

Support #12368

closed

pulp-admin login on capsule causes error 500

Added by Vladimir Stackov over 8 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Description:

When I'm trying to login using pulp-admin on capsule I'm getting error 500.

Reproducibility: 100%

Steps to reproduce:

1. Setup new capsule with pulp
2. Install pulp-admin-client RPM on capsule
3. Add verify_ssl: False to /etc/pulp/admin/admin.conf (to [server] section)
4. Execute
pulp-admin login -u admin
then type password

Actual result:

An internal error occurred on the Pulp server:

RequestException: POST request
on /pulp/api/v2/actions/login/ failed with 500 - error signing cert request:
Signature ok
subject=/CN=admin:admin:5637512e762c2f1072a81bcd
Getting CA Private
Key
CA certificate and CA private key do not
match
140629082322848:error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch:x509_cmp.c:331:
unable to
write 'random state'

Expected result:

Successfully logged in. Session certificate will expire at ...

Additional info:

If I'll login using pulp-admin on foreman host and then copy ~/.pulp/user-cert.pem to capsule then everything works as expected (i.e. I can use pulp-admin on capsule without any limitations).

katello-agent-2.3.1-4.el7.noarch
katello-certs-tools-2.3.0-4.el7.noarch
katello-debug-2.3.0-6.el7.noarch
katello-default-ca-1.0-1.noarch
katello-installer-base-2.3.1-6.el7.noarch
katello-selinux-2.2.1-1.el7.noarch
katello-server-ca-1.0-2.noarch
katello-service-2.3.0-6.el7.noarch
pulp-admin-client-2.6.2-1.el7.noarch
pulp-docker-plugins-1.0.1-1.el7.noarch
pulp-katello-0.4-2.el7.noarch
pulp-nodes-child-2.6.2-1.el7.noarch
pulp-nodes-common-2.6.2-1.el7.noarch
pulp-nodes-parent-2.6.2-1.el7.noarch
pulp-puppet-plugins-2.6.2-1.el7.noarch
pulp-rpm-admin-extensions-2.6.2-1.el7.noarch
pulp-rpm-handlers-2.6.2-1.el7.noarch
pulp-rpm-plugins-2.6.2-1.el7.noarch
pulp-selinux-2.6.2-1.el7.noarch
pulp-server-2.6.2-1.el7.noarch
python-isodate-0.5.0-4.pulp.el7.noarch
python-kombu-3.0.24-8.pulp.el7.noarch
python-pulp-agent-lib-2.6.2-1.el7.noarch
python-pulp-bindings-2.6.2-1.el7.noarch
python-pulp-client-lib-2.6.2-1.el7.noarch
python-pulp-common-2.6.2-1.el7.noarch
python-pulp-docker-common-1.0.1-1.el7.noarch
python-pulp-puppet-common-2.6.2-1.el7.noarch
python-pulp-rpm-common-2.6.2-1.el7.noarch
rubygem-smart_proxy_pulp-1.0.1-2.el7.noarch
Actions #1

Updated by Eric Helms over 8 years ago

  • translation missing: en.field_release set to 70
  • Triaged changed from No to Yes
Actions #2

Updated by Justin Sherrill over 8 years ago

  • translation missing: en.field_release changed from 70 to 86
Actions #3

Updated by Daniel Lobato Garcia over 8 years ago

100% reproducible - this is also causing trouble in Katello I believe. When I call subscription-manager ... --force on a host, it will try to create a Pulp Consumer using runcible and the same error will show up in journalctl.

Actions #4

Updated by Daniel Lobato Garcia over 8 years ago

  • Tracker changed from Bug to Support
  • Status changed from New to Resolved

Duh - found the reason. Pulp CA key and cert are not managed by Katello at all. In fact the ca.key set in the /etc/pulp/server.conf is wrong.

Run the following script to verify it - https://gist.github.com/dLobatog/6e6c53bca6343ae8fc37 - if it outputs one md5 key, it means all of them were signed by the same CA. But the Pulp ca key isn't signed by the same CA.

I'd say just call Pulp actions with '--username username --password password', like 'pulp-admin --username username --password password consumer list'. Or change the cakey in /etc/pulp/server.conf to point to /etc/pki/katello/private/katello-default-ca.key.

Actions

Also available in: Atom PDF