<div dir="ltr"><div>Hi Jason and Randy,</div><div><br></div><div><span class="" style="white-space:pre"> </span>Thanks for your assistance with this issue. Excuse the essay but I wanted to be thorough in explaining the steps I am performing.</div><div><span class="" style="white-space:pre"> </span></div><div><span class="" style="white-space:pre"> </span>Jason this is mostly your steps just re-worded to understand and hopefully get it right.</div><div><span class="" style="white-space:pre"> </span></div><div><span class="" style="white-space:pre"> </span>This example RHEL7, Apache 2.4, Pulp 2.4 , Hostname: pulp01.rap.local</div><div><span class="" style="white-space:pre"> </span></div><div><b>Steps:<span class="" style="white-space:pre"> </span></b></div><div><span class="" style="white-space:pre"> </span></div><div><font face="courier new, monospace">mkdir -pv /etc/pki/pulp_certs</font></div><div><font face="courier new, monospace">cd /etc/pki/pulp_certs</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">openssl genrsa -out pulpca.key 2048</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">pulpca.key</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">openssl req -new -key pulpca.key -out pulpca.csr</font></div><div><br></div><div><br></div><div><b># On the MS Root CA</b></div><div><br></div><div><a href="http://localrootca/certsrv/">http://localrootca/certsrv/</a></div><div><br></div><div>Request a Certificate > advanced certificate request > </div><div><br></div><div>Paste the pulpca.csr Into the Saved Request Section > </div><div><br></div><div>Certifcate Template: Web Server</div><div><br></div><div>Additional Attributes: Left this blank</div><div><br></div><div>- Base64 > Download Certificate.</div><div><br></div><div>scp certnew.cer as user admin across to pulp01</div><div><br></div><div><br></div><div><font face="courier new, monospace">cd /home/admin</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">chown -v root.root certnew.cer</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">cp -v /home/admin/certnew.cer /etc/pki/pulp_certs/pulpca.crt</font></div><div><br></div><div><br></div><div><b><br></b></div><div><b># Create SSL cert for the pulp service which is run via Apache, using our Intermediary CA cert to sign it:</b></div><div><br></div><div><font face="courier new, monospace">openssl genrsa -out pulp01.rap.local.key 2048</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">openssl req -new -key pulp01.rap.local.key -out pulp01.rap.local.csr</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">openssl x509 -req -days 3650 -CA pulpca.crt -CAkey pulpca.key -set_serial 01 -in pulp01.rap.local.csr -out pulp01.rap.local.crt</font></div><div><br></div><div><br></div><div><br></div><div><b># Grab the ROOT CA Cert:</b></div><div><br></div><div><a href="http://localrootca/certsrv/">http://localrootca/certsrv/</a> > Download a CA certificate, certificate chain, or CRL > To trust certificates issued from this certification authority, install this CA certificate > certnew.csr</div><div><br></div><div>SCP This across to /etc/pki/pulp_certs/</div><div><br></div><div><font face="courier new, monospace">mv -v /home/admin/certnew.cer /etc/pki/pulp_certs/rootca.crt</font></div><div><font face="courier new, monospace">chown -v root.root /etc/pki/pulp_certs/rootca.crt</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">cd /etc/pki/pulp_certs</font></div><div><font face="courier new, monospace">cat rootca.crt pulpca.crt > pulpca_chain.crt</font></div><div><br></div><div><br></div><div>As per Randy's email: to add the certs in to the ca-bundle.crt to survive the RHEL package updates to the CA bundle.</div><div><br></div><div>man update-ca-trust as explained in QUICK HELP 1: </div><div><br></div><div><font face="courier new, monospace">cp -v /etc/pki/pulp_certs/rootca.crt /etc/pki/ca-trust/source/anchors/</font></div><div><font face="courier new, monospace">update-ca-trust extract && echo $?</font></div><div><br></div><div><b>In the Apache Config:</b></div><div><br></div><div><font face="courier new, monospace">vim /etc/httpd/conf.d/ssl.conf</font></div><div><font face="courier new, monospace"> </font></div><div><font face="courier new, monospace">SSLCertificateFile /etc/pki/pulp_certs/pulp01.rap.local.crt</font></div><div><font face="courier new, monospace">SSLCertificateKeyFile /etc/pki/pulp_certs/pulp01.rap.local.key</font></div><div><font face="courier new, monospace">SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt = This should stay the same as we just updated our CA Trust???</font></div><div><br></div><div><br></div><div><a href="https://pulp01.rap.local">https://pulp01.rap.local</a></div><div><br></div><div>Now Apache is telling me the SSL is self signed and should not be trusted.... = Certificate Fail</div><div><br></div><div>My next question is should I be using separate SSL Certs for Apache and PULP? As Pulp should read from Apache's SSL Certs I'd assume they would be the same?</div><div><br></div><div>If they are seperate certificates to PULP is obviosuly not using the SSL Certs from Apache and seperate certifiates should be specified in?</div><div><br></div><div><font face="courier new, monospace">/etc/httpd/conf.d/ssl.conf</font></div><div><font face="courier new, monospace">/etc/httpd/conf.d/pulp.conf</font></div><div><font face="courier new, monospace">/etc/pulp/admin/admin.conf</font></div><div><font face="courier new, monospace">/etc/pulp/server.conf</font></div><div><br></div><div>Thanks for your time and look forward to understanding this better.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 30, 2014 at 12:06 AM, Randy Barlow <span dir="ltr"><<a href="mailto:rbarlow@redhat.com" target="_blank">rbarlow@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If you don't mind, it's best to reply to the list in the future.<br>
<br>
On 10/28/2014 05:57 PM, Gavin Jones wrote:<br>
> cat /etc/pki/entitlement/6666666.pem this is different to the one from<br>
> the RHEL7 Customer Portal, as the one certificate listed from the<br>
> Customer Portal looks to be a combination of<br>
> /etc/pki/entitlement/6666666.pem and /etc/pki/entitlement/6666666-key.pem<br>
><br>
> Maybe this is behind it and maybe I should be specifying only once cert<br>
> when I create the repo?<br>
<br>
Pulp prefers to get the cert and key separately, so I don't think it is<br>
important to combine them.<br>
<br>
> Option 1:<br>
><br>
> I could get a free startssl cert, however does PULP really require a<br>
> Public CA Signed Cert just to use it? A signed Cert from an internal<br>
> root ca is not suffice?<br>
<br>
No, you can install your own CA on the host, which would make it a<br>
trusted CA. See man update-ca-trust for more info on how to do that.<br>
<br>
> Option 2: This is on a local host, still made no difference :(<br>
><br>
> vim /etc/pulp/admin/admin.conf<br>
> verify_ssl = False<br>
> systemctl restart httpd<br>
<br>
Do you have a ~/.pulp/admin.conf? If so, is verify_ssl set in there?<br>
<br>
> Option 3:<br>
><br>
> I have been using the same certificates I generated for the httpd<br>
> server, should I have not been doing this? I copied the certs I<br>
> generated from /etc/pki/tls/certs and /etc/pki/tls/private into<br>
> /etc/pki/pulp gave them the owner ship of root.apache and chmod 640 all<br>
> certs files.<br>
<br>
You shouldn't need to put apache's certs in /etc/pki/pulp. The certs in<br>
there are used by Pulp for authentication (the CA certs in there) and<br>
for repository authorization, if you are using protected repos.<br>
<br>
</blockquote></div><br></div>