[Pulp-list] Repo Auth Setup Script: pulp/playpen/certs
jmatthew at redhat.com
Fri Aug 19 16:36:31 UTC 2011
I wrote some scripts to make setting up an environment for repo auth testing easier.
You can run a single script and it will create a basic environment.
- Generate a new root CA cert
- Generate a new SSL Server Cert/Key (for https with apache) with CN of your hostname
- Generate a new client cert/key with extensions for a test repo
- Enables repo auth config setting
- Modifies Apache's ssl.conf
- Restarts Apache
Script to create a test repo and upload content certs to pulp:
- run: ./create_test_repos.py
- Repo feed is: http://repos.fedorapeople.org/repos/pulp/pulp/fedora-15/i386/
To perform a basic sanity check:
- run: './test_fetch.py'
- This will verify repo auth is working by using the client cert and curl to fetch repomd.xml from the protected repo
There are also scripts present to examine a cert and debug issues if they come up.
Example run of 'setup.sh'.
Running: openssl genrsa -out ./certs/Pulp_CA.key 2048
Running: openssl req -new -x509 -days 365 -key ./certs/Pulp_CA.key -out ./certs/Pulp_CA.cert -subj '/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=Pulp/CN=Pulp-Root-CA'
CA Key: ./certs/Pulp_CA.key
CA Cert: ./certs/Pulp_CA.cert
Running: openssl genrsa -out ./certs/Pulp_server.key 2048
Running: openssl req -new -key ./certs/Pulp_server.key -out ./certs/Pulp_server.csr -subj '/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=Pulp/CN=jwm-devel.home'
Running: openssl x509 -req -days 365 -CA ./certs/Pulp_CA.cert -CAkey ./certs/Pulp_CA.key -in ./certs/Pulp_server.csr -out ./certs/Pulp_server.cert -CAserial ./certs/Pulp_CA.srl
Server Cert: ./certs/Pulp_server.cert
Server Key: ./certs/Pulp_server.key
Running: openssl genrsa -out ./certs/Pulp_client.key 2048
Running: openssl req -new -key ./certs/Pulp_client.key -out ./certs/Pulp_client.csr -subj '/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=Pulp/CN=Pulp_Content_Cert'
Running: openssl x509 -req -days 365 -CA ./certs/Pulp_CA.cert -CAkey ./certs/Pulp_CA.key -extfile ./extensions.txt -extensions pulp-repos -in ./certs/Pulp_client.csr -out ./certs/Pulp_client.cert -CAserial ./certs/Pulp_CA.srl
Client Cert: ./certs/Pulp_client.cert
Client Key: ./certs/Pulp_client.key
Running: cp ./certs/Pulp_server.key /etc/pki/content/Pulp_server.key
Running: cp ./certs/Pulp_server.cert /etc/pki/content/Pulp_server.cert
Running: sed -i 's/^SSLCertificateFile.*/SSLCertificateFile \/etc\/pki\/content\/Pulp_server.cert/' /etc/httpd/conf.d/ssl.conf
Running: sed -i 's/^SSLCertificateKeyFile.*/SSLCertificateKeyFile \/etc\/pki\/content\/Pulp_server.key/' /etc/httpd/conf.d/ssl.conf
Httpd ssl.conf has been updated
Running: sed -i 's/enabled: false/enabled: true/' /etc/pulp/repo_auth.conf
Running: /sbin/service httpd restart
More information about the Pulp-list