[Pulp-list] Issues with ssl client verification using chain ca pem
David Gao
dgao at redhat.com
Tue Aug 12 00:22:12 UTC 2014
Hi,
I'm running into an issue with latest pulp rest binding unable to verify certificate if the CA cert is a chain cert. It looks like the new pulp is using code from m2crypto library that does not support this feature. Attached are 2 small scripts that will recreate this scenario.
Note: test_m2crypto.py have pieces of code yanked from pulp bindings/server.py
Note2: The scripts assume pulp is installed locally.
Here are the steps:
1) ./create_rhui_ssl_certs.sh - This would output a bunch of certs, the important ones are copied to ./certs dir.
2) Edit line 8 of test_m2crypto.py to point to $HOME/certs/server-ca-chain.pem
3) Edit /etc/httpd/conf.d/ssl.conf with following key-value pair:
3.1) SSLCertificateFile $HOME/certs/test-cert.pem
3.2) SSLCertificateKeyFile $HOME/certs/test-key.pem
4) Restart httpd
5) python test_m2crypto.py
6) openssl verify -verbose -CAfile $HOME/certs/server-ca-chain.pem $HOME/certs/test-cert.pem
Output should look like:
[root at rhua ~]# python test_m2crypto.py
certificate verify failed
[root at rhua ~]# openssl verify -verbose -CAfile /root/certs/server-ca-chain.pem /root/certs/test-cert.pem
/root/certs/test-cert.pem: OK
The version of pulp I'm using is:
[root at rhua ~]# rpm -qa | grep "pulp"
python-isodate-0.5.0-1.pulp.el6.noarch
python-pulp-rpm-common-2.4.0-0.30.beta.el6.noarch
createrepo-0.9.9-21.2.pulp.el6.noarch
pulp-admin-client-2.4.0-0.30.beta.el6.noarch
python-kombu-3.0.15-12.pulp.el6.noarch
pulp-puppet-plugins-2.4.0-0.30.beta.el6.noarch
pulp-selinux-2.4.0-0.30.beta.el6.noarch
pulp-rpm-admin-extensions-2.4.0-0.30.beta.el6.noarch
m2crypto-0.21.1.pulp-8.el6.x86_64
python-pulp-common-2.4.0-0.30.beta.el6.noarch
python-pulp-puppet-common-2.4.0-0.30.beta.el6.noarch
python-pulp-bindings-2.4.0-0.30.beta.el6.noarch
python-pulp-client-lib-2.4.0-0.30.beta.el6.noarch
mod_wsgi-3.4-1.pulp.el6.x86_64
pulp-server-2.4.0-0.30.beta.el6.noarch
pulp-rpm-plugins-2.4.0-0.30.beta.el6.noarch
pulp-puppet-admin-extensions-2.4.0-0.30.beta.el6.noarch
pulp-v2-cds-server-1.0.1-1.git.3.9a1a04f.el6.noarch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: create_rhui_ssl_certs.sh
Type: application/x-shellscript
Size: 6658 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20140811/fe64526f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_m2crypto.py
Type: text/x-python
Size: 804 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20140811/fe64526f/attachment.py>
More information about the Pulp-list
mailing list