[Pulp-list] Repo Auth Setup Script: pulp/playpen/certs

John Matthews jmatthew at redhat.com
Fri Aug 19 16:36:31 UTC 2011

I wrote some scripts to make setting up an environment for repo auth testing easier.  

You can run a single script and it will create a basic environment. 
  Run: pulp/playpen/certs/setup.sh

 - Generate a new root CA cert 
 - Generate a new SSL Server Cert/Key (for https with apache) with CN of your hostname
 - Generate a new client cert/key with extensions for a test repo
 - Enables repo auth config setting
 - Modifies Apache's ssl.conf
 - Restarts Apache

Script to create a test repo and upload content certs to pulp: 
 - run: ./create_test_repos.py
 - Repo feed is: http://repos.fedorapeople.org/repos/pulp/pulp/fedora-15/i386/

To perform a basic sanity check:
 - run: './test_fetch.py' 
 - This will verify repo auth is working by using the client cert and curl to fetch repomd.xml from the protected repo

There are also scripts present to examine a cert and debug issues if they come up.

Example run of 'setup.sh'.

$ ./setup.sh 
Running: openssl genrsa -out ./certs/Pulp_CA.key 2048
Running: openssl req -new -x509 -days 365 -key ./certs/Pulp_CA.key -out ./certs/Pulp_CA.cert -subj '/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=Pulp/CN=Pulp-Root-CA'
CA Key: ./certs/Pulp_CA.key
CA Cert: ./certs/Pulp_CA.cert
Running: openssl genrsa -out ./certs/Pulp_server.key 2048
Running: openssl req -new -key ./certs/Pulp_server.key -out ./certs/Pulp_server.csr -subj '/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=Pulp/CN=jwm-devel.home'
Running: openssl x509 -req -days 365 -CA ./certs/Pulp_CA.cert -CAkey ./certs/Pulp_CA.key -in ./certs/Pulp_server.csr -out ./certs/Pulp_server.cert -CAserial ./certs/Pulp_CA.srl
Server Cert: ./certs/Pulp_server.cert
Server Key: ./certs/Pulp_server.key
Running: openssl genrsa -out ./certs/Pulp_client.key 2048
Running: openssl req -new -key ./certs/Pulp_client.key -out ./certs/Pulp_client.csr -subj '/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=Pulp/CN=Pulp_Content_Cert'
Running: openssl x509 -req -days 365 -CA ./certs/Pulp_CA.cert -CAkey ./certs/Pulp_CA.key -extfile ./extensions.txt -extensions pulp-repos -in ./certs/Pulp_client.csr -out ./certs/Pulp_client.cert -CAserial ./certs/Pulp_CA.srl
Client Cert: ./certs/Pulp_client.cert
Client Key: ./certs/Pulp_client.key
Running: cp ./certs/Pulp_server.key /etc/pki/content/Pulp_server.key
Running: cp ./certs/Pulp_server.cert /etc/pki/content/Pulp_server.cert
Running: sed -i 's/^SSLCertificateFile.*/SSLCertificateFile \/etc\/pki\/content\/Pulp_server.cert/' /etc/httpd/conf.d/ssl.conf
Running: sed -i 's/^SSLCertificateKeyFile.*/SSLCertificateKeyFile \/etc\/pki\/content\/Pulp_server.key/' /etc/httpd/conf.d/ssl.conf
Httpd ssl.conf has been updated
Running: sed -i 's/enabled: false/enabled: true/' /etc/pulp/repo_auth.conf
Running: /sbin/service httpd restart

More information about the Pulp-list mailing list