[Pulp-list] Problems syncing from cdn.redhat.com on Pulp 2.3.1
Steven Roberts
strobert at strobe.net
Tue Mar 11 18:17:44 UTC 2014
soudns familiar. we have our designated update grabbing machines bypass
the proxy so we don't have to circumvent the SSL/TLS security measures
by having something play man-in-the-middle.
I managed to convinve the policy folks it wasn't likely my RPM
downloading boxes would be pulling down porn :).
Steve
On Tue, Mar 11, 2014 at 07:17:21AM +0100, Florian Sachs wrote:
> Hi Christina,
>
> I ran into the same problem recently (Client Hello, RST) , as our
> Bluecoat Proxy doesn't like TLS1.2 much...
>
> Pulp uses python-requests to download packages and I was able to
> change the behaviour there. See
> https://bugzilla.redhat.com/show_bug.cgi?id=1039471#c4 for the diff.
>
> best regards,
> florian
>
> On 03/10/2014 09:56 PM, Christina Plummer wrote:
> >
> >--
> >!!! ACHTUNG !!!
> >Die elektronische DKIM-Signatur die der absendende Mailserver der
> >Nachricht beigefügt hat, ist Fehlerhaft. Es handelt sich bei
> >dieser Mail mit großer Wahrscheinlichkeit um eine Faelschung/Spam
> >etc. mx3-phx2.redhat.com ist nicht vertrauenswuerdig!
> >--
> >
> >Update - after studying the packet captures, I noticed that all
> >the failures (both Pulp2.3 and openssl s_client) were when TLS 1.2
> >was used. When I forced s_client to use TLS 1.0 or 1.1, the SSL
> >handshake succeeded.
> >
> >Is there a way to force Pulp to use TLS 1.0?
> >
> >
> >On Mon, Mar 10, 2014 at 4:14 PM, Christina Plummer
> ><cplummer at gmail.com <mailto:cplummer at gmail.com>> wrote:
> >
> > We do go through a proxy, but authentication is not required on
> > port 443. Both servers are on the same subnet.
> >
> > Pulp-2.1.3-server:
> > * RHEL 6.5 x86_64
> > * yum to cdn.redhat.com <http://cdn.redhat.com> works
> > * curl to cdn.redhat.com <http://cdn.redhat.com> works
> > * Pulp to cdn.redhat.com <http://cdn.redhat.com> works
> >
> > Pulp-2.3.1-server:
> > * RHEL 6.5 x86_64
> > * yum to cdn.redhat.com <http://cdn.redhat.com> works
> > * curl to cdn.redhat.com <http://cdn.redhat.com> works
> > * Pulp to cdn.redhat.com <http://cdn.redhat.com> fails
> >
> > (I couldn't get openssl s_client to work on either one, but I
> > think that is probably user error or otherwise irrelevant)
> >
> > I did packet captures on both servers while running "pulp rpm repo
> > sync run".
> > On the 2.3.1 server, the SSL Client Hello does not include a
> > Server Name, and is followed by a RST.
> > On the 2.1.3 server, the SSL Client Hello includes a Server Name
> > of cdn.redhat.com <http://cdn.redhat.com>, and is followed by a
> > SSL Server Hello and the rest of the process proceeds as expected.
> >
> > So... why is the 2.3.1 not sending a Server Name is its SSL Client
> > Hello?
> >
> > Thanks,
> > Christina
> >
> >
> >
> > On Sat, Mar 8, 2014 at 12:54 AM, Steven Roberts
> > <strobert at strobe.net <mailto:strobert at strobe.net>> wrote:
> >
> > I sort of recall having a similar cert issue around the same
> > time I
> > upgraded to 2.3 but we had two external issues:
> > - our accounting group decided to change our RH account so we
> > had to get
> > new entitlement certs
> > - a proxy had been added to out outbound connection causing a
> > server
> > cert issue.
> >
> > are you behind a proxy? thinking maybe doing a 'openssl s_client'
> > to get the cert to confirm it is the one you are expecting...
> >
> > that socket reset sounds like one side isn't liking the SSL
> > negotiation which could be a client or server issue.
> >
> > I would check the ssl side of things, you could also
> > tcpdump/tshark
> > the connection to see if one side is raising an ssl error...
> >
> > Steve
> >
> > On Fri, Mar 07, 2014 at 09:00:51PM -0500, Christina Plummer wrote:
> > > Hi Steve,
> > > Both the 2.1 and 2.3 Pulp servers are running RHEL 6.5.
> > >
> > > Thanks,
> > > Christina
> > >
> > > Sent from mobile
> > >
> > > > On Mar 7, 2014, at 8:28 PM, Steven Roberts
> > <strobert at strobe.net <mailto:strobert at strobe.net>> wrote:
> > > >
> > > > what os,arch are you running your pulp server on?
> > > >
> > > > I am on a RHEL 6 (64bit) box with pulp 2.3.1-1 package and
> > my sync's
> > > > of RH CDN are working.
> > > >
> > > > I have feed-cert and feed-key (both set to the same .pem I
> > downloaded
> > > > from RH using the instructions in the pulp guide).
> > > >
> > > > I did just look and I am setting the feed-ca-cert to a
> > redhat-uep.pem
> > > > (and I also have skipping of DRPMS as we don't use them in
> > our env)
> > > >
> > > > Steve
> > > >
> > > >> On Fri, Mar 07, 2014 at 04:50:21PM -0500, Christina
> > Plummer wrote:
> > > >> Update - I was able to use curl to download the
> > repomd.xml file that Pulp
> > > >> seems to be choking on. So I am definitely thinking this
> > is a Pulp 2.3
> > > >> problem.
> > > >>
> > > >> This worked:
> > > >> sudo curl -v
> > > >>
> > https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml--cacert
> > > >> /etc/rhsm/ca/redhat-uep.pem --cert
> > > >> /etc/pki/entitlement/1545770057920900266.pem --key
> > > >> /etc/pki/entitlement/1545770057920900266-key.pem
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> On Fri, Mar 7, 2014 at 4:02 PM, Christina Plummer
> > <cplummer at gmail.com <mailto:cplummer at gmail.com>>wrote:
> > > >>
> > > >>> I've been working with Pulp 2.1.3 for several months,
> > and decided that I
> > > >>> wanted to get 2.3.1 stood up on a new server and migrate
> > over to it.
> > > >>> Unfortunately, I have not been able to get Pulp 2.3.1 to
> > sync from the Red
> > > >>> Hat channels. Here is the error I get:
> > > >>> Downloading metadata...
> > > >>> [\]
> > > >>> ... failed
> > > >>>
> > > >>> HTTPSConnectionPool(host='cdn.redhat.com
> > <http://cdn.redhat.com>', port=443): Max retries
> > > >>> exceeded with
> > > >>> url:
> > /content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml
> > > >>> (Caused
> > > >>> by <class 'socket.error'>: [Errno 104] Connection reset
> > by peer)
> > > >>>
> > > >>> I don't believe I have a network or
> > subscription/entitlement issue,
> > > >>> because I am able to use yum to update packages from
> > cdn.redhat.com <http://cdn.redhat.com>. I
> > > >>> set up my Pulp 2.3.1 repos in the same way as I have
> > them on my 2.1.3
> > > >>> server, e.g.
> > > >>>
> > > >>> sudo pulp-admin rpm repo create --repo-id=live-rhel6-x86_64
> > > >>> --description="RHEL6 x86_64 Latest"
> > > >>> --feed-cert=/etc/pki/entitlement/1545770057920900266.pem
> > > >>>
> > --feed-key=/etc/pki/entitlement/1545770057920900266-key.pem
> > --feed=https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os
> > > >>>
> > --retain-old-count=1<https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os--retain-old-count=1>--validate=true
> > --relative-url=rhel6/x86_64 --serve-http=true
> > > >>> --serve-https=false
> > > >>> --gpg-key=/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-legacy-release
> > > >>> I am still able to sync from RHN to my Pulp 2.1.3
> > server, so there doesn't
> > > >>> seem to be an issue with Red Hat itself.
> > > >>>
> > > >>> It seems like an SSL error, but I can't figure out what
> > it would be... I
> > > >>> tried adding --feed-ca-cert=/etc/rhsm/ca/redhat-uep.pem,
> > but that didn't
> > > >>> seem to have any effect (and hasn't been needed on my
> > 2.1.3 server).
> > > >>>
> > > >>> Any ideas? Has anyone else got syncing from
> > cdn.redhat.com <http://cdn.redhat.com> working on
> > > >>> Pulp 2.3.1?
> > > >>>
> > > >>> Thanks,
> > > >>> Christina
> > > >
> > > >> _______________________________________________
> > > >> Pulp-list mailing list
> > > >> Pulp-list at redhat.com <mailto:Pulp-list at redhat.com>
> > > >> https://www.redhat.com/mailman/listinfo/pulp-list
> > > >
> > >
> >
> >
> >
> >
> >
> >_______________________________________________
> >Pulp-list mailing list
> >Pulp-list at redhat.com
> >https://www.redhat.com/mailman/listinfo/pulp-list
>
> --
> Florian Sachs
> Bundesministerium für Landesverteidigung und Sport
> Führungsunterstützungszentrum / IKT-Te / HW&SysSW / SE2VE
> Stiftgasse 2a 1070, Wien
> Postadresse: Rossauer Lände 1, 1090 Wien
> Tel.: +43 50201 10 33466
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
More information about the Pulp-list
mailing list