Bug #16179: published repositories give 403 forbidden when attempting to navigate to the https address - Katello - Foreman

Bug #16179

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1320179  
  +++ This bug was initially created as a clone of Bug #1242310 +++ 

 +++ This bug was initially created as a clone of Bug #1128870 +++ 

 Description of problem: 

 Published repositories give 403 forbidden when attempting to navigate to the https address 


 Version-Release number of selected component (if applicable): 
 Version 6.0.8 

 How reproducible: 
 Choose organization, then Content > Content Views, choose Content> repositories click the repository and try to navigate to 'Published At' link to receive. 

 Forbidden 

 You don't have permission to access /pulp/repos/ACME_Corporation/Library/content/dist/rhel/server/6/6Server/x86_64/os on this server. 

 Actual results: 
 Can browse repos via HTTP but on HTTPS port it fails with below error 

 Forbidden 

 You don't have permission to access /pulp/repos/RedHat/ on this server. 

 Expected results: 
 Rpos should be browsable via https repo 

 Additional information:  

 Followed the steps provided in https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-single/User_Guide/#Create_a_New_Organization_Debug_Certificate 

 Still the repos are not browsable via HTTPS port. Below are my findings  

  # cat /etc/httpd/conf.d/pulp_nodes.conf file 

 # -- HTTP Repositories --------- 

 Alias /pulp/nodes/http/repos /var/www/pulp/nodes/http/repos 

 <Directory /var/www/pulp/nodes/http/repos > 
   Options FollowSymLinks Indexes 
 </Directory> 

 # -- HTTPS Repositories --------- 

 Alias /pulp/nodes/https/repos /var/www/pulp/nodes/https/repos 

 <Directory /var/www/pulp/nodes/https/repos > 
   Options FollowSymLinks Indexes 
   SSLRequireSSL 
   SSLVerifyClient require 
   SSLVerifyDepth    5 
   SSLOptions +FakeBasicAuth 
   SSLRequire %{SSL_CLIENT_S_DN_O} eq "PULP" and %{SSL_CLIENT_S_DN_OU} eq "NODES"     ------> This line is causing the trouble as its expecting Org to be PULP and OU to be NODES in the CA cert which is why its failing 
 </Directory> 

 Also we can see some traceback/errors in the /var/log/httpd/foreman-ssl_error_ssl.log when accessing content on HTTPS port. 

 [root@dhcp233-55 ~]# tail -f -n0 /var/log/httpd/foreman-ssl_error_ssl.log 
 [Mon Jul 13 07:40:09.924854 2015] [:error] [pid 31432] [client 10.65.223.44:55319] mod_wsgi (pid=31432): Exception occurred processing WSGI script '/srv/pulp/repo_auth.wsgi'. 
 [Mon Jul 13 07:40:09.924963 2015] [:error] [pid 31432] [client 10.65.223.44:55319] Traceback (most recent call last): 
 [Mon Jul 13 07:40:09.925010 2015] [:error] [pid 31432] [client 10.65.223.44:55319]     File "/srv/pulp/repo_auth.wsgi", line 34, in allow_access 
 [Mon Jul 13 07:40:09.925175 2015] [:error] [pid 31432] [client 10.65.223.44:55319]       authorized = _handle(environ) 
 [Mon Jul 13 07:40:09.925203 2015] [:error] [pid 31432] [client 10.65.223.44:55319]     File "/srv/pulp/repo_auth.wsgi", line 71, in _handle 
 [Mon Jul 13 07:40:09.925246 2015] [:error] [pid 31432] [client 10.65.223.44:55319]       result = f(environ) 
 [Mon Jul 13 07:40:09.925274 2015] [:error] [pid 31432] [client 10.65.223.44:55319]     File "/usr/lib/python2.7/site-packages/pulp_rpm/repo_auth/oid_validation.py", line 46, in authenticate 
 [Mon Jul 13 07:40:09.925735 2015] [:error] [pid 31432] [client 10.65.223.44:55319]       environ["wsgi.errors"].write) 
 [Mon Jul 13 07:40:09.925786 2015] [:error] [pid 31432] [client 10.65.223.44:55319]     File "/usr/lib/python2.7/site-packages/pulp_rpm/repo_auth/oid_validation.py", line 120, in is_valid 
 [Mon Jul 13 07:40:09.925837 2015] [:error] [pid 31432] [client 10.65.223.44:55319]       is_valid = self._check_extensions(cert_pem, dest, log_func) 
 [Mon Jul 13 07:40:09.925863 2015] [:error] [pid 31432] [client 10.65.223.44:55319]     File "/usr/lib/python2.7/site-packages/pulp_rpm/repo_auth/oid_validation.py", line 166, in _check_extensions 
 [Mon Jul 13 07:40:09.925904 2015] [:error] [pid 31432] [client 10.65.223.44:55319]       cert = certificate.create_from_pem(cert_pem) 
 [Mon Jul 13 07:40:09.925930 2015] [:error] [pid 31432] [client 10.65.223.44:55319]     File "/usr/lib64/python2.7/site-packages/rhsm/certificate.py", line 64, in create_from_pem 
 [Mon Jul 13 07:40:09.926441 2015] [:error] [pid 31432] [client 10.65.223.44:55319]       return _CertFactory().create_from_pem(pem) 
 [Mon Jul 13 07:40:09.926529 2015] [:error] [pid 31432] [client 10.65.223.44:55319]     File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 74, in create_from_pem 
 [Mon Jul 13 07:40:09.927029 2015] [:error] [pid 31432] [client 10.65.223.44:55319]       return self._read_x509(_certificate.load(pem=pem), path, pem) 
 [Mon Jul 13 07:40:09.927160 2015] [:error] [pid 31432] [client 10.65.223.44:55319]     File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 100, in _read_x509 
 [Mon Jul 13 07:40:09.927304 2015] [:error] [pid 31432] [client 10.65.223.44:55319]       raise CertificateException(str(e)) 
 [Mon Jul 13 07:40:09.927491 2015] [:error] [pid 31432] [client 10.65.223.44:55319] CertificateException: Invalid date Bad time value: Invalid month: Bad 
 [Mon Jul 13 07:40:09.927717 2015] [:error] [pid 31432] [client 10.65.223.44:55319] mod_wsgi (pid=31432): Client denied by server configuration: '/var/www/pub/yum/https/repos/RedHat'. 

 [root@dhcp233-55 ~]# date 
 Mon Jul 13 07:40:32 IST 2015 

 --- Additional comment from RHEL Product and Program Management on 2015-07-12 22:24:20 EDT --- 

 Since this issue was entered in Red Hat Bugzilla, the release flag has been 
 set to ? to ensure that it is properly evaluated for this release. 

 --- Additional comment from RHEL Product and Program Management on 2015-07-12 22:26:00 EDT --- 

 Since this issue was entered in Red Hat Bugzilla, the pm_ack has been 
 set to + automatically for the next planned release 

 --- Additional comment from Fred van Zwieten on 2015-09-07 08:15:40 EDT --- 

 Possibly related, but not a dup afaict: https://bugzilla.redhat.com/show_bug.cgi?id=1260560 

 --- Additional comment from DipenDevra on 2015-09-10 05:15:06 EDT --- 

 Hello, 

 I have a case(SFDC#01505222), in which Customer is asking for the further update/timeline/ of Bug. 

 Thanks and Regards, 
 Dipen Devra 

 --- Additional comment from Bryan Kearney on 2015-10-09 08:41:24 EDT --- 

 Using Tazims machines, I see: 

 [bkearney@fivehole code] $ curl -k --cert /home/bkearney/Downloads/Default\ Organization-key-cert.pem    https://dell-pe1955-01.rhts.eng.bos.redhat.com/pulp/repos/Default_Organization/Library/content/dist/rhel/server/6/6.6/x86_64/os 
 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
 <html><head> 
 <title>403 Forbidden</title> 
 </head><body> 
 <h1>Forbidden</h1> 
 <p>You don't have permission to access /pulp/repos/Default_Organization/Library/content/dist/rhel/server/6/6.6/x86_64/os 
 on this server.</p> 
 </body></html> 


 And, if I try and look at the cert I see, 

 [bkearney@fivehole code] $ rct stat-cert /home/bkearney/Downloads/Default\ Organization-key-cert.pem  
 Unable to read certificate file '/home/bkearney/Downloads/Default Organization-key-cert.pem': Invalid date Bad time value: Invalid month: Bad 


 Attaching the cert 

 --- Additional comment from Bryan Kearney on 2015-10-09 08:42 EDT --- 



 --- Additional comment from Joseph Kachuck on 2015-11-09 14:34:06 EST --- 

 May I allow IBM access to this BZ? 

 Thank You 
 Joe Kachuck 

 --- Additional comment from Mike McCune on 2015-11-24 16:34:32 EST --- 

 BZ is now public. 

 --- Additional comment from Justin Sherrill on 2016-03-03 17:00:59 EST --- 

 After chatting with the candlepin team, this seems like it may be a bug in m2crypto.   

 I wrote a small python script https://gist.github.com/jlsherrill/ad4e9a7122c08e6a7436 to test a particular cert and the uber certs seem to fail.   

 Al's analysis indicates that certs with an expiration date after 2050 fail to validate in m2crypto. 

 --- Additional comment from Justin Sherrill on 2016-03-04 08:10:08 EST --- 

 This is also preventing capsule syncing from working in Satellite 6.2. 

 --- Additional comment from Alex Wood on 2016-03-07 14:29:12 EST --- 

 Filed upstream bug with M2Crypto at https://gitlab.com/m2crypto/m2crypto/issues/103 

 However, python-rhsm only uses M2Crypto to read version 1 entitlement certificates.    Version 3 entitlement certificates are read via a C extension.    The same problem exists in that extension as well (GeneralizedTimes being interpreted as UTCTimes).    See https://github.com/candlepin/python-rhsm/blob/d437f96f0aa3311f4b9b21a5fd128825ecc52f72/src/certificate.c#L447 

 The fastest fix is to path Candlepin to not issue certificates with an expiration date past 2050. 

 --- Additional comment from Bryan Kearney on 2016-03-07 16:06:15 EST --- 

 Upstream bug component is Capsule 

 --- Additional comment from Bryan Kearney on 2016-03-10 14:50:04 EST --- 

 Upstream bug assigned to jomitsch@redhat.com 

 --- Additional comment from Justin Sherrill on 2016-03-10 14:56:45 EST --- 

 Unlinked from upstream issue as the problem is being resolved in candlepin 

 --- Additional comment from Brad Buckingham on 2016-03-21 12:34:02 EDT --- 

 Moving all beta bugs without blocker+ to GA.

Back

Project

General

Profile

Plugins » Katello

Bug #16179