[Pulp-list] Problems syncing from cdn.redhat.com on Pulp 2.3.1

Mon Mar 10 20:56:26 UTC 2014

Update - after studying the packet captures, I noticed that all the
failures (both Pulp2.3 and openssl s_client) were when TLS 1.2 was used.
When I forced s_client to use TLS 1.0 or 1.1, the SSL handshake succeeded.

Is there a way to force Pulp to use TLS 1.0?

On Mon, Mar 10, 2014 at 4:14 PM, Christina Plummer <cplummer at gmail.com>wrote:

> We do go through a proxy, but authentication is not required on port 443.
> Both servers are on the same subnet.
>
> Pulp-2.1.3-server:
>  * RHEL 6.5 x86_64
>  * yum to cdn.redhat.com works
>  * curl to cdn.redhat.com works
>  * Pulp to cdn.redhat.com works
>
> Pulp-2.3.1-server:
>  * RHEL 6.5 x86_64
>  * yum to cdn.redhat.com works
>  * curl to cdn.redhat.com works
>  * Pulp to cdn.redhat.com fails
>
> (I couldn't get openssl s_client to work on either one, but I think that
> is probably user error or otherwise irrelevant)
>
> I did packet captures on both servers while running "pulp rpm repo sync
> run".
> On the 2.3.1 server, the SSL Client Hello does not include a Server Name,
> and is followed by a RST.
> On the 2.1.3 server, the SSL Client Hello includes a Server Name of
> cdn.redhat.com, and is followed by a SSL Server Hello and the rest of the
> process proceeds as expected.
>
> So... why is the 2.3.1 not sending a Server Name is its SSL Client Hello?
>
> Thanks,
> Christina
>
>
>
> On Sat, Mar 8, 2014 at 12:54 AM, Steven Roberts <strobert at strobe.net>wrote:
>
>> I sort of recall having a similar cert issue around the same time I
>> upgraded to 2.3 but we had two external issues:
>> - our accounting group decided to change our RH account so we had to get
>>   new entitlement certs
>> - a proxy had been added to out outbound connection causing a server
>>   cert issue.
>>
>> are you behind a proxy?  thinking maybe doing a 'openssl s_client'
>> to get the cert to confirm it is the one you are expecting...
>>
>> that socket reset sounds like one side isn't liking the SSL
>> negotiation which could be a client or server issue.
>>
>> I would check the ssl side of things, you could also tcpdump/tshark
>> the connection to see if one side is raising an ssl error...
>>
>> Steve
>>
>> On Fri, Mar 07, 2014 at 09:00:51PM -0500, Christina Plummer wrote:
>> > Hi Steve,
>> > Both the 2.1 and 2.3 Pulp servers are running RHEL 6.5.
>> >
>> > Thanks,
>> > Christina
>> >
>> > Sent from mobile
>> >
>> > > On Mar 7, 2014, at 8:28 PM, Steven Roberts <strobert at strobe.net>
>> wrote:
>> > >
>> > > what os,arch are you running your pulp server on?
>> > >
>> > > I am on a RHEL 6 (64bit) box with pulp 2.3.1-1 package and my sync's
>> > > of RH CDN are working.
>> > >
>> > > I have feed-cert and feed-key (both set to the same .pem I downloaded
>> > > from RH using the instructions in the pulp guide).
>> > >
>> > > I did just look and I am setting the feed-ca-cert to a redhat-uep.pem
>> > > (and I also have skipping of DRPMS as we don't use them in our env)
>> > >
>> > > Steve
>> > >
>> > >> On Fri, Mar 07, 2014 at 04:50:21PM -0500, Christina Plummer wrote:
>> > >> Update - I was able to use curl to download the repomd.xml file that
>> Pulp
>> > >> seems to be choking on.  So I am definitely thinking this is a Pulp
>> 2.3
>> > >> problem.
>> > >>
>> > >> This worked:
>> > >> sudo curl -v
>> > >>
>> https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml--cacert
>> > >> /etc/rhsm/ca/redhat-uep.pem --cert
>> > >> /etc/pki/entitlement/1545770057920900266.pem --key
>> > >> /etc/pki/entitlement/1545770057920900266-key.pem
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> On Fri, Mar 7, 2014 at 4:02 PM, Christina Plummer <
>> cplummer at gmail.com>wrote:
>> > >>
>> > >>> I've been working with Pulp 2.1.3 for several months, and decided
>> that I
>> > >>> wanted to get 2.3.1 stood up on a new server and migrate over to it.
>> > >>> Unfortunately, I have not been able to get Pulp 2.3.1 to sync from
>> the Red
>> > >>> Hat channels.  Here is the error I get:
>> > >>> Downloading metadata...
>> > >>> [\]
>> > >>> ... failed
>> > >>>
>> > >>> HTTPSConnectionPool(host='cdn.redhat.com', port=443): Max retries
>> > >>> exceeded with
>> > >>> url:
>> /content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml
>> > >>> (Caused
>> > >>> by <class 'socket.error'>: [Errno 104] Connection reset by peer)
>> > >>>
>> > >>> I don't believe I have a network or subscription/entitlement issue,
>> > >>> because I am able to use yum to update packages from cdn.redhat.com.
>>  I
>> > >>> set up my Pulp 2.3.1 repos in the same way as I have them on my
>> 2.1.3
>> > >>> server, e.g.
>> > >>>
>> > >>> sudo pulp-admin rpm repo create --repo-id=live-rhel6-x86_64
>> > >>> --description="RHEL6 x86_64 Latest"
>> > >>> --feed-cert=/etc/pki/entitlement/1545770057920900266.pem
>> > >>> --feed-key=/etc/pki/entitlement/1545770057920900266-key.pem --feed=
>> https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os
>> > >>> --retain-old-count=1<
>> https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os--retain-old-count=1>--validate=true
>> --relative-url=rhel6/x86_64 --serve-http=true
>> > >>> --serve-https=false
>> > >>> --gpg-key=/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-legacy-release
>> > >>> I am still able to sync from RHN to my Pulp 2.1.3 server, so there
>> doesn't
>> > >>> seem to be an issue with Red Hat itself.
>> > >>>
>> > >>> It seems like an SSL error, but I can't figure out what it would
>> be... I
>> > >>> tried adding --feed-ca-cert=/etc/rhsm/ca/redhat-uep.pem, but that
>> didn't
>> > >>> seem to have any effect (and hasn't been needed on my 2.1.3 server).
>> > >>>
>> > >>> Any ideas?  Has anyone else got syncing from cdn.redhat.comworking on
>> > >>> Pulp 2.3.1?
>> > >>>
>> > >>> Thanks,
>> > >>> Christina
>> > >
>> > >> _______________________________________________
>> > >> Pulp-list mailing list
>> > >> Pulp-list at redhat.com
>> > >> https://www.redhat.com/mailman/listinfo/pulp-list
>> > >
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20140310/85ef962c/attachment.htm>