Project

General

Profile

Actions
Copy link

Bug #9816

closed

Capsule: cannot browse /pub using both http and https

Added by Eric Helms almost 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Helms
Category:
Foreman Proxy Content
Target version:
Katello 2.2
Difficulty:
Triaged:
Yes
Bugzilla link:
1198741
Pull request:
https://github.com/Katello/katello-installer/pull/194
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1198741
Description of problem:

This is a parity issue vis a vis Satellite itself.

In satellite, user can browse to /pub using http and https
In the capsule, currently, user can only browser to https

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Attempt to browse to https://capsule.example.com/pub
2. Attempt to browse to http://capsule.example.com/pub
3. Attempt to browse to https://satellite.example.com/pub
4. Attempt to browse to http://satellite.example.com/pub

Actual results:

User cannot browse to /pub via http ('Forbidden') on a capsule

Expected results:

User can browse via http and/or parity with satellite itself

The problem manifests itself when trying to retrieve the ca-cert from /pub, using curl, or something similar, which doesn't by default allow self-signed certs.

[root@qe-blade-03 ~]# wget https://cloud-qe-3.idmqe.lab.eng.bos.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm
--2015-03-04 12:41:25-- https://cloud-qe-3.idmqe.lab.eng.bos.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm
Resolving cloud-qe-3.idmqe.lab.eng.bos.redhat.com (cloud-qe-3.idmqe.lab.eng.bos.redhat.com)... 10.16.96.112
Connecting to cloud-qe-3.idmqe.lab.eng.bos.redhat.com (cloud-qe-3.idmqe.lab.eng.bos.redhat.com)|10.16.96.112|:443... connected.
ERROR: cannot verify cloud-qe-3.idmqe.lab.eng.bos.redhat.com's certificate, issued by ‘/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=rhsm-qe-2.rhq.lab.eng.bos.redhat.com’:
Self-signed certificate encountered.
To connect to cloud-qe-3.idmqe.lab.eng.bos.redhat.com insecurely, use `--no-check-certificate'.

Now, manually user can modify this url to be http only and that sort of resolves the issue. But the fact remains, users can browse to /pub on a satellite itself using both secure and non-secure methods. On the capsule, users can only browse via https.

Are there workarounds? Yes
  • user can use --no-check-certificate in curl
  • user can manually modify URL header even though user cannot actually browse to /pub root

But is it a good customer experience? not really.

Additional info:

Related issues 1 (0 open1 closed)

Related to Katello - Bug #11197: httpd Error: Invalid command 'PassengerEnabled' in Pulp Capsule when --puppet "false" usedResolved07/23/2015Actions
Actions
Copy link

Also available in: Atom PDF