Project

General

Profile

Bug #16179

published repositories give 403 forbidden when attempting to navigate to the https address

Added by John Mitsch almost 6 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
High
Assignee:
-
Category:
Web UI
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1320179
++ This bug was initially created as a clone of Bug #1242310 ++

++ This bug was initially created as a clone of Bug #1128870 ++

Description of problem:

Published repositories give 403 forbidden when attempting to navigate to the https address

Version-Release number of selected component (if applicable):
Version 6.0.8

How reproducible:
Choose organization, then Content > Content Views, choose Content> repositories click the repository and try to navigate to 'Published At' link to receive.

Forbidden

You don't have permission to access /pulp/repos/ACME_Corporation/Library/content/dist/rhel/server/6/6Server/x86_64/os on this server.

Actual results:
Can browse repos via HTTP but on HTTPS port it fails with below error

Forbidden

You don't have permission to access /pulp/repos/RedHat/ on this server.

Expected results:
Rpos should be browsable via https repo

Additional information:

Followed the steps provided in https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-single/User_Guide/#Create_a_New_Organization_Debug_Certificate

Still the repos are not browsable via HTTPS port. Below are my findings

  1. cat /etc/httpd/conf.d/pulp_nodes.conf file
  1. -- HTTP Repositories ---------

Alias /pulp/nodes/http/repos /var/www/pulp/nodes/http/repos

<Directory /var/www/pulp/nodes/http/repos >
Options FollowSymLinks Indexes
</Directory>

  1. -- HTTPS Repositories ---------

Alias /pulp/nodes/https/repos /var/www/pulp/nodes/https/repos

<Directory /var/www/pulp/nodes/https/repos >
Options FollowSymLinks Indexes
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth
SSLRequire %{SSL_CLIENT_S_DN_O} eq "PULP" and %{SSL_CLIENT_S_DN_OU} eq "NODES" ------> This line is causing the trouble as its expecting Org to be PULP and OU to be NODES in the CA cert which is why its failing
</Directory>

Also we can see some traceback/errors in the /var/log/httpd/foreman-ssl_error_ssl.log when accessing content on HTTPS port.

[root@dhcp233-55 ~]# tail -f -n0 /var/log/httpd/foreman-ssl_error_ssl.log
[Mon Jul 13 07:40:09.924854 2015] [:error] [pid 31432] [client 10.65.223.44:55319] mod_wsgi (pid=31432): Exception occurred processing WSGI script '/srv/pulp/repo_auth.wsgi'.
[Mon Jul 13 07:40:09.924963 2015] [:error] [pid 31432] [client 10.65.223.44:55319] Traceback (most recent call last):
[Mon Jul 13 07:40:09.925010 2015] [:error] [pid 31432] [client 10.65.223.44:55319] File "/srv/pulp/repo_auth.wsgi", line 34, in allow_access
[Mon Jul 13 07:40:09.925175 2015] [:error] [pid 31432] [client 10.65.223.44:55319] authorized = _handle(environ)
[Mon Jul 13 07:40:09.925203 2015] [:error] [pid 31432] [client 10.65.223.44:55319] File "/srv/pulp/repo_auth.wsgi", line 71, in _handle
[Mon Jul 13 07:40:09.925246 2015] [:error] [pid 31432] [client 10.65.223.44:55319] result = f(environ)
[Mon Jul 13 07:40:09.925274 2015] [:error] [pid 31432] [client 10.65.223.44:55319] File "/usr/lib/python2.7/site-packages/pulp_rpm/repo_auth/oid_validation.py", line 46, in authenticate
[Mon Jul 13 07:40:09.925735 2015] [:error] [pid 31432] [client 10.65.223.44:55319] environ["wsgi.errors"].write)
[Mon Jul 13 07:40:09.925786 2015] [:error] [pid 31432] [client 10.65.223.44:55319] File "/usr/lib/python2.7/site-packages/pulp_rpm/repo_auth/oid_validation.py", line 120, in is_valid
[Mon Jul 13 07:40:09.925837 2015] [:error] [pid 31432] [client 10.65.223.44:55319] is_valid = self._check_extensions(cert_pem, dest, log_func)
[Mon Jul 13 07:40:09.925863 2015] [:error] [pid 31432] [client 10.65.223.44:55319] File "/usr/lib/python2.7/site-packages/pulp_rpm/repo_auth/oid_validation.py", line 166, in _check_extensions
[Mon Jul 13 07:40:09.925904 2015] [:error] [pid 31432] [client 10.65.223.44:55319] cert = certificate.create_from_pem(cert_pem)
[Mon Jul 13 07:40:09.925930 2015] [:error] [pid 31432] [client 10.65.223.44:55319] File "/usr/lib64/python2.7/site-packages/rhsm/certificate.py", line 64, in create_from_pem
[Mon Jul 13 07:40:09.926441 2015] [:error] [pid 31432] [client 10.65.223.44:55319] return _CertFactory().create_from_pem(pem)
[Mon Jul 13 07:40:09.926529 2015] [:error] [pid 31432] [client 10.65.223.44:55319] File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 74, in create_from_pem
[Mon Jul 13 07:40:09.927029 2015] [:error] [pid 31432] [client 10.65.223.44:55319] return self._read_x509(_certificate.load(pem=pem), path, pem)
[Mon Jul 13 07:40:09.927160 2015] [:error] [pid 31432] [client 10.65.223.44:55319] File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 100, in _read_x509
[Mon Jul 13 07:40:09.927304 2015] [:error] [pid 31432] [client 10.65.223.44:55319] raise CertificateException(str(e))
[Mon Jul 13 07:40:09.927491 2015] [:error] [pid 31432] [client 10.65.223.44:55319] CertificateException: Invalid date Bad time value: Invalid month: Bad
[Mon Jul 13 07:40:09.927717 2015] [:error] [pid 31432] [client 10.65.223.44:55319] mod_wsgi (pid=31432): Client denied by server configuration: '/var/www/pub/yum/https/repos/RedHat'.

[root@dhcp233-55 ~]# date
Mon Jul 13 07:40:32 IST 2015

History

#1 Updated by John Mitsch almost 6 years ago

  • Assignee set to John Mitsch
  • Target version set to 123

#2 Updated by John Mitsch almost 6 years ago

  • Description updated (diff)

#3 Updated by John Mitsch almost 6 years ago

  • Target version deleted (123)

#4 Updated by John Mitsch almost 6 years ago

  • Assignee deleted (John Mitsch)

#5 Updated by Justin Sherrill almost 6 years ago

  • Status changed from New to Rejected
  • Legacy Backlogs Release (now unused) set to 166

Also available in: Atom PDF