[Pulp-list] 2.5.1 update seems to break verify_ssl false?
Paul Urwin
me at paulurwin.com
Thu Dec 18 11:46:52 UTC 2014
Hello Pulpers
I've upgraded from 2.4.0-1 to 2.5.1-1 and have hit SSL issues.
Despite having verify_ssl: false in /etc/pulp/admin/admin.conf pulp-admin
would now bomb out with errors in ~/.pulp/admin.log:
ConnectionException: (None, 'tlsv1 alert unknown ca', None)
That shouldn't happen right?
I was using a self signed certificate so to try to get around this I used a
VeriSign certificate.
Despite updating the relevant variables...
admin.conf:
ca_path: /etc/pki/tls/certs/ca-bundle.crt
server.conf
cacert: /etc/pki/pulp/new-hostname-cacert.pem
cakey: /etc/pki/pulp/new-hostname-key.pem
ssl_ca_certificate: /etc/pki/tls/certs/ca-bundle.crt
/etc/httpd/conf.d/pulp.conf:
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCertificateFile /etc/pki/pulp/new-hostname-cacert.pem
SSLCertificateKeyFile /etc/pki/pulp/new-hostname-key.pem
...and appending the intermediate certificate into the ca-bundle.crt file,
pulp-admin still gave the same exception, despite appending the
intermediary cert having fixed wget and curl, which were complaining when i
did a test grab of /pulp/repos until I did that.
I could see that ssl_error_log contained:
Thu Dec 18 10:57:15 2014] [error] [client 123.123.123.123] Certificate
Verification: Error (20): unable to get local issuer certificate
[Thu Dec 18 10:57:15 2014] [error] [client 123.123.123.123] Re-negotiation
handshake failed: Not accepted by client!?
After some googling I tried commenting out:
SSLVerifyClient optional
In /etc/httpd/conf.d/pulp.conf
That resolved the SSL Apache log error, but now I get:
The specified user does not have permission to execute the given command
admin.log:
PermissionsException: RequestException: GET request on /pulp/api/v2/tasks/
failed with 401 - Authentication with username None failed: invalid SSL
certificate.
So to summarise ... is verify_ssl broken in 2.5.1? And what have I been
doing wrong with my certificates?
Thanks!!
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141218/f3228e47/attachment.htm>
More information about the Pulp-list
mailing list