Bug #12841
closedCert mismatch for katello 2.4 RC3 in files /etc/httpd/conf.d/pulp.conf and /etc/pulp/server.conf
Description
Cert mismatch for katello 2.4 in files /etc/httpd/conf.d/pulp.conf and /etc/pulp/server.conf, this causes you not to be able to use pulp-admin
In /etc/pulp/server.conf under [security] the cacert and cakey, fields do not match what is in /etc/httpd/conf.d/pulp.conf.
[root@puppet100 ~]# pulp-admin rpm repo content errata --repo-id=Default_Organization-CentOS_7_x86_64-CentOS_7_x86_64_Extras
An error occurred attempting to contact the server. More information can be
found in the client log file ~/.pulp/admin.log.
~/.pulp/admin.log
---------------------------------------------------
2015-12-16 00:07:04,410 - ERROR - Client-side exception occurred
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/core.py", line 478, in run
exit_code = Cli.run(self, args)
File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run
exit_code = command_or_section.execute(self.prompt, remaining_args)
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/extensions.py", line 224, in execute
return self.method(*arg_list, **clean_kwargs)
File "/usr/lib/python2.7/site-packages/pulp_rpm/extensions/admin/contents.py", line 405, in errata
self.run_search([TYPE_ERRATUM], **kwargs)
File "/usr/lib/python2.7/site-packages/pulp_rpm/extensions/admin/contents.py", line 158, in run_search
units = self.context.server.repo_unit.search(repo_id, **kwargs).response_body
File "/usr/lib/python2.7/site-packages/pulp/bindings/repository.py", line 467, in search
return self.server.POST
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 100, in POST
log_request_body=log_request_body, ignore_prefix=ignore_prefix)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 152, in _request
response_code, response_body = self.server_wrapper.request(method, url, body)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 349, in request
raise exceptions.ConnectionException(None, str(err), None)
ConnectionException: (None, 'tlsv1 alert unknown ca', None)
Files
Updated by Rodrigo Menezes almost 9 years ago
Just to add some more information, just checked on a Katello 2.3 deployment I have and this is what it looks like:
[security]
cacert: /etc/pki/katello/certs/katello-default-ca.crt
cakey: /etc/pki/katello/private/katello-default-ca.key
ssl_ca_certificate: /etc/pki/pulp/ssl_ca.crt
Updated by Justin Sherrill over 8 years ago
- Translation missing: en.field_release changed from 70 to 113
Updated by Eric Helms over 8 years ago
- Status changed from New to Need more information
Are you able to use username/password with pulp-admin and not hit this error? The certs were removed from server.conf intentionally to reduce our coupling and because they are essentially deprecated. If username and password specification don't work, we will investigate a further solution.
Updated by Rodrigo Menezes over 8 years ago
This happens when I'm logging in with a username/password. From my understanding of what is going on, it looks like "pulp-admin login -u admin --password=XYZ" generates a temporary cert based on the incorrect CA in server.conf and when it tried to communicate with Pulp through http there is a cert mismatch.
Updated by Justin Sherrill over 8 years ago
After a discussion we're not planning on fixing this as:
a) pulp is planning on deprecating pulp-admin login
b) it greatly simplifies our installer code and permissions to not let pulp access the CA private key
Instead we will document this error and a the workaround for the issue.
Updated by Rodrigo Menezes over 8 years ago
Would you be able to go more into what the workaround is, so that I may try and build it into this script beforehand: https://github.com/brdude/pulp_centos_errata_import
Updated by Justin Sherrill over 8 years ago
Hey Michael,
Apologies for the delay.
The workaround is to simply use
'pulp-admin -u admin -p PASSWORD subcommand'
rather than 'pulp-admin login'.
In Katello 3.0 (next version of katello expected in the next month or so), we will also generate a pulp client key at installation time which can be used by pulp-admin. To get it in the right place and form you'd simply run:
sudo cat /etc/pki/katello/certs/pulp-client.crt /etc/pki/katello/private/pulp-client.key > ~/.pulp/user-cert.pem
and then pulp-admin will work as the 'admin' user without specifying any username or password.
Updated by Justin Sherrill over 8 years ago
- Category changed from 91 to Documentation
- Status changed from Need more information to Assigned
- Assignee set to Justin Sherrill
- Translation missing: en.field_release changed from 113 to 86
Updated by The Foreman Bot over 8 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/Katello/katello.org/pull/237 added
Updated by Justin Sherrill over 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset katello-website|066432508399c200a18d8016668df96bc6fcbb4c.