[Pulp-list] 2.5.1 update seems to break verify_ssl false?

Thu Dec 18 16:21:48 UTC 2014

On 12/18/2014 06:46 AM, Paul Urwin wrote:
> Hello Pulpers

Hello Paul!

> I've upgraded from 2.4.0-1 to 2.5.1-1 and have hit SSL issues.
> 
> Despite having verify_ssl: false in /etc/pulp/admin/admin.conf
> pulp-admin would now bomb out with errors in ~/.pulp/admin.log:
> 
> ConnectionException: (None, 'tlsv1 alert unknown ca', None)
> 
> That shouldn't happen right?

openssl errors are often difficult to interpret. What did the output of
pulp-admin tell you when you ran into this issue? It may have been that
you simply needed to log in again, but that's a bit of a wild guess on
my part.

> I was using a self signed certificate so to try to get around this I
> used a VeriSign certificate.
> 
> Despite updating the relevant variables...
> 
> server.conf
> cacert: /etc/pki/pulp/new-hostname-cacert.pem
> cakey: /etc/pki/pulp/new-hostname-key.pem
> ssl_ca_certificate: /etc/pki/tls/certs/ca-bundle.crt

These three settings should not be altered, and the Pulp team has plans
to deprecate them because altering them will often break Pulp. This was
supposed to have been documented, but unfortunately I discovered that
there was a typo in the docs. I just submitted a pull request to address
the typo[0].

Essentially, these certificates are for Pulp's own internal operation
and should not need to be adjusted. cacert/key are for Pulp's
authentication CA certificate, not for the CA that signed the certs that
httpd uses to serve Pulp. This CA is used to sign the CSRs when you call
pulp-admin login, so that pulp-admin can use the user-cert.pem to
identify you until the next login call. We plan to remove this with Pulp
3.0 as we hope to switch to a different authentication mechanism.

ssl_ca_certificate is for handing out certificates to bound consumers so
they can verify the Pulp server when communicating with it, but it
suffers from a chicken-and-the-egg problem because the consumer can't
get the cert from Pulp without first trusting Pulp, which is can't do
without the cert so we plan to remove this as well.

I recommend that you restore all three of these settings to their
defaults (and ensure that the files that were originally there are still
present and unaltered.)

> /etc/httpd/conf.d/pulp.conf:
> SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

This is the CA that will validate client certificates. It must be the
same file as server.conf's cacert setting (and that must be unaltered
from the Pulp install).

> SSLCertificateFile /etc/pki/pulp/new-hostname-cacert.pem
> SSLCertificateKeyFile /etc/pki/pulp/new-hostname-key.pem

You shouldn't need these settings, I would recommend removing them.

> After some googling I tried commenting out:
> 
> SSLVerifyClient optional
> 
> In /etc/httpd/conf.d/pulp.conf
> 
> That resolved the SSL Apache log error, but now I get:
> 
> The specified user does not have permission to execute the given command

This is because the client certificate you are using wasn't signed by a
CA that httpd trusted, so the REMOTE_USER environment variable wasn't set.

> So to summarise ... is verify_ssl broken in 2.5.1? And what have I been
> doing wrong with my certificates?

Most of us developers have verify_ssl set to False (I personally keep it
set to True to make sure that works too), and I believe our QE tests it
both ways, so I am fairly confident that it works correctly.

I'd suggest reverting all the SSL settings to their defaults, and try
pulp-admin login again to see if that helps. Let us know how it goes!

[0] https://github.com/pulp/pulp/pull/1444

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141218/c911f521/attachment.sig>