Project

General

Profile

Bug #12841

Cert mismatch for katello 2.4 RC3 in files /etc/httpd/conf.d/pulp.conf and /etc/pulp/server.conf

Added by Rodrigo Menezes almost 6 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Category:
Documentation
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cert mismatch for katello 2.4 in files /etc/httpd/conf.d/pulp.conf and /etc/pulp/server.conf, this causes you not to be able to use pulp-admin

In /etc/pulp/server.conf under [security] the cacert and cakey, fields do not match what is in /etc/httpd/conf.d/pulp.conf.

[root@puppet100 ~]# pulp-admin rpm repo content errata --repo-id=Default_Organization-CentOS_7_x86_64-CentOS_7_x86_64_Extras
An error occurred attempting to contact the server. More information can be
found in the client log file ~/.pulp/admin.log.

~/.pulp/admin.log
---------------------------------------------------
2015-12-16 00:07:04,410 - ERROR - Client-side exception occurred
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/core.py", line 478, in run
exit_code = Cli.run(self, args)
File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run
exit_code = command_or_section.execute(self.prompt, remaining_args)
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/extensions.py", line 224, in execute
return self.method(*arg_list, **clean_kwargs)
File "/usr/lib/python2.7/site-packages/pulp_rpm/extensions/admin/contents.py", line 405, in errata
self.run_search([TYPE_ERRATUM], **kwargs)
File "/usr/lib/python2.7/site-packages/pulp_rpm/extensions/admin/contents.py", line 158, in run_search
units = self.context.server.repo_unit.search(repo_id, **kwargs).response_body
File "/usr/lib/python2.7/site-packages/pulp/bindings/repository.py", line 467, in search
return self.server.POST
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 100, in POST
log_request_body=log_request_body, ignore_prefix=ignore_prefix)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 152, in _request
response_code, response_body = self.server_wrapper.request(method, url, body)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 349, in request
raise exceptions.ConnectionException(None, str(err), None)
ConnectionException: (None, 'tlsv1 alert unknown ca', None)

pulp.conf pulp.conf 1.17 KB Rodrigo Menezes, 12/15/2015 07:04 PM
server.conf server.conf 11.2 KB Rodrigo Menezes, 12/15/2015 07:06 PM

Associated revisions

Revision 06643250 (diff)
Added by Justin Sherrill over 5 years ago

Fixes #12841 - add documentation for using pulp-admin

Revision ec548aad
Added by Justin Sherrill over 5 years ago

Merge pull request #237 from jlsherrill/pulp-admin

Fixes #12841 - add documentation for using pulp-admin

History

#1 Updated by Rodrigo Menezes almost 6 years ago

Just to add some more information, just checked on a Katello 2.3 deployment I have and this is what it looks like:

[security]
cacert: /etc/pki/katello/certs/katello-default-ca.crt
cakey: /etc/pki/katello/private/katello-default-ca.key
ssl_ca_certificate: /etc/pki/pulp/ssl_ca.crt

#2 Updated by Eric Helms almost 6 years ago

  • Triaged changed from No to Yes

#3 Updated by Justin Sherrill almost 6 years ago

  • Legacy Backlogs Release (now unused) changed from 70 to 113

#4 Updated by Eric Helms almost 6 years ago

  • Status changed from New to Need more information

Are you able to use username/password with pulp-admin and not hit this error? The certs were removed from server.conf intentionally to reduce our coupling and because they are essentially deprecated. If username and password specification don't work, we will investigate a further solution.

#5 Updated by Rodrigo Menezes almost 6 years ago

This happens when I'm logging in with a username/password. From my understanding of what is going on, it looks like "pulp-admin login -u admin --password=XYZ" generates a temporary cert based on the incorrect CA in server.conf and when it tried to communicate with Pulp through http there is a cert mismatch.

#6 Updated by Justin Sherrill over 5 years ago

After a discussion we're not planning on fixing this as:

a) pulp is planning on deprecating pulp-admin login
b) it greatly simplifies our installer code and permissions to not let pulp access the CA private key

Instead we will document this error and a the workaround for the issue.

#7 Updated by Rodrigo Menezes over 5 years ago

Would you be able to go more into what the workaround is, so that I may try and build it into this script beforehand: https://github.com/brdude/pulp_centos_errata_import

#8 Updated by Justin Sherrill over 5 years ago

Hey Michael,

Apologies for the delay.

The workaround is to simply use

'pulp-admin -u admin -p PASSWORD subcommand'

rather than 'pulp-admin login'.

In Katello 3.0 (next version of katello expected in the next month or so), we will also generate a pulp client key at installation time which can be used by pulp-admin. To get it in the right place and form you'd simply run:

sudo cat /etc/pki/katello/certs/pulp-client.crt /etc/pki/katello/private/pulp-client.key > ~/.pulp/user-cert.pem

and then pulp-admin will work as the 'admin' user without specifying any username or password.

#9 Updated by Justin Sherrill over 5 years ago

  • Category changed from 91 to Documentation
  • Status changed from Need more information to Assigned
  • Assignee set to Justin Sherrill
  • Legacy Backlogs Release (now unused) changed from 113 to 86

#10 Updated by The Foreman Bot over 5 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/Katello/katello.org/pull/237 added

#11 Updated by Justin Sherrill over 5 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF