Cert mismatch for katello 2.4 RC3 in files /etc/httpd/conf.d/pulp.conf and /etc/pulp/server.conf
Cert mismatch for katello 2.4 in files /etc/httpd/conf.d/pulp.conf and /etc/pulp/server.conf, this causes you not to be able to use pulp-admin
In /etc/pulp/server.conf under [security] the cacert and cakey, fields do not match what is in /etc/httpd/conf.d/pulp.conf.
[root@puppet100 ~]# pulp-admin rpm repo content errata --repo-id=Default_Organization-CentOS_7_x86_64-CentOS_7_x86_64_Extras
An error occurred attempting to contact the server. More information can be
found in the client log file ~/.pulp/admin.log.
2015-12-16 00:07:04,410 - ERROR - Client-side exception occurred
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/core.py", line 478, in run
exit_code = Cli.run(self, args)
File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run
exit_code = command_or_section.execute(self.prompt, remaining_args)
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/extensions.py", line 224, in execute
return self.method(*arg_list, **clean_kwargs)
File "/usr/lib/python2.7/site-packages/pulp_rpm/extensions/admin/contents.py", line 405, in errata
File "/usr/lib/python2.7/site-packages/pulp_rpm/extensions/admin/contents.py", line 158, in run_search
units = self.context.server.repo_unit.search(repo_id, **kwargs).response_body
File "/usr/lib/python2.7/site-packages/pulp/bindings/repository.py", line 467, in search
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 100, in POST
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 152, in _request
response_code, response_body = self.server_wrapper.request(method, url, body)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 349, in request
raise exceptions.ConnectionException(None, str(err), None)
ConnectionException: (None, 'tlsv1 alert unknown ca', None)
#1 Updated by Rodrigo Menezes over 5 years ago
Just to add some more information, just checked on a Katello 2.3 deployment I have and this is what it looks like:
#4 Updated by Eric Helms over 5 years ago
- Status changed from New to Need more information
Are you able to use username/password with pulp-admin and not hit this error? The certs were removed from server.conf intentionally to reduce our coupling and because they are essentially deprecated. If username and password specification don't work, we will investigate a further solution.
#5 Updated by Rodrigo Menezes over 5 years ago
This happens when I'm logging in with a username/password. From my understanding of what is going on, it looks like "pulp-admin login -u admin --password=XYZ" generates a temporary cert based on the incorrect CA in server.conf and when it tried to communicate with Pulp through http there is a cert mismatch.
#6 Updated by Justin Sherrill over 5 years ago
After a discussion we're not planning on fixing this as:
a) pulp is planning on deprecating pulp-admin login
b) it greatly simplifies our installer code and permissions to not let pulp access the CA private key
Instead we will document this error and a the workaround for the issue.
#7 Updated by Rodrigo Menezes over 5 years ago
Would you be able to go more into what the workaround is, so that I may try and build it into this script beforehand: https://github.com/brdude/pulp_centos_errata_import
#8 Updated by Justin Sherrill over 5 years ago
Apologies for the delay.
The workaround is to simply use
'pulp-admin -u admin -p PASSWORD subcommand'
rather than 'pulp-admin login'.
In Katello 3.0 (next version of katello expected in the next month or so), we will also generate a pulp client key at installation time which can be used by pulp-admin. To get it in the right place and form you'd simply run:
sudo cat /etc/pki/katello/certs/pulp-client.crt /etc/pki/katello/private/pulp-client.key > ~/.pulp/user-cert.pem
and then pulp-admin will work as the 'admin' user without specifying any username or password.
#11 Updated by Justin Sherrill over 5 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset katello-website|066432508399c200a18d8016668df96bc6fcbb4c.