[Pulp-list] Problems syncing from cdn.redhat.com on Pulp 2.3.1

Christina Plummer cplummer at gmail.com
Tue Mar 11 18:27:32 UTC 2014 

Florian, thank you for the tip and the patch!  We do have Bluecoat, and I
just confirmed that we are at SGOS 6.4.3.1, which apparently does not
support TLS 1.2.

We are currently discussing the best way forward - either allowing this
server to bypass the proxy, or modifying the Python per your patch.  Thanks
again for chasing this down and sharing your findings.

Christina


On Tue, Mar 11, 2014 at 2:17 AM, Florian Sachs <florian.sachs at bmlvs.gv.at>wrote:

>  Hi Christina,
>
> I ran into the same problem recently (Client Hello, RST) , as our Bluecoat
> Proxy doesn't like TLS1.2 much...
>
> Pulp uses python-requests to download packages and I was able to change
> the behaviour there. See
> https://bugzilla.redhat.com/show_bug.cgi?id=1039471#c4 for the diff.
>
> best regards,
> florian
>
> On 03/10/2014 09:56 PM, Christina Plummer wrote:
>
> --
> !!! ACHTUNG !!!
> Die elektronische DKIM-Signatur die der absendende Mailserver der
> Nachricht beigefügt hat, ist Fehlerhaft. Es handelt sich bei dieser Mail
> mit großer Wahrscheinlichkeit um eine Faelschung/Spam etc.
> mx3-phx2.redhat.com ist nicht vertrauenswuerdig!
> --
>  Update - after studying the packet captures, I noticed that all the
> failures (both Pulp2.3 and openssl s_client) were when TLS 1.2 was used.
> When I forced s_client to use TLS 1.0 or 1.1, the SSL handshake succeeded.
>
>  Is there a way to force Pulp to use TLS 1.0?
>
>
> On Mon, Mar 10, 2014 at 4:14 PM, Christina Plummer <cplummer at gmail.com>wrote:
>
>>       We do go through a proxy, but authentication is not required on
>> port 443. Both servers are on the same subnet.
>>
>>  Pulp-2.1.3-server:
>>   * RHEL 6.5 x86_64
>>   * yum to cdn.redhat.com works
>>   * curl to cdn.redhat.com works
>>   * Pulp to cdn.redhat.com works
>>
>>  Pulp-2.3.1-server:
>>   * RHEL 6.5 x86_64
>>   * yum to cdn.redhat.com works
>>   * curl to cdn.redhat.com works
>>   * Pulp to cdn.redhat.com fails
>>
>>  (I couldn't get openssl s_client to work on either one, but I think that
>> is probably user error or otherwise irrelevant)
>>
>>  I did packet captures on both servers while running "pulp rpm repo sync
>> run".
>> On the 2.3.1 server, the SSL Client Hello does not include a Server Name,
>> and is followed by a RST.
>> On the 2.1.3 server, the SSL Client Hello includes a Server Name of
>> cdn.redhat.com, and is followed by a SSL Server Hello and the rest of
>> the process proceeds as expected.
>>
>>  So... why is the 2.3.1 not sending a Server Name is its SSL Client Hello?
>>
>>  Thanks,
>> Christina
>>
>>
>>
>> On Sat, Mar 8, 2014 at 12:54 AM, Steven Roberts <strobert at strobe.net>wrote:
>>
>>> I sort of recall having a similar cert issue around the same time I
>>> upgraded to 2.3 but we had two external issues:
>>> - our accounting group decided to change our RH account so we had to get
>>>   new entitlement certs
>>> - a proxy had been added to out outbound connection causing a server
>>>   cert issue.
>>>
>>> are you behind a proxy?  thinking maybe doing a 'openssl s_client'
>>> to get the cert to confirm it is the one you are expecting...
>>>
>>> that socket reset sounds like one side isn't liking the SSL
>>> negotiation which could be a client or server issue.
>>>
>>> I would check the ssl side of things, you could also tcpdump/tshark
>>> the connection to see if one side is raising an ssl error...
>>>
>>> Steve
>>>
>>> On Fri, Mar 07, 2014 at 09:00:51PM -0500, Christina Plummer wrote:
>>> > Hi Steve,
>>> > Both the 2.1 and 2.3 Pulp servers are running RHEL 6.5.
>>> >
>>> > Thanks,
>>> > Christina
>>> >
>>> > Sent from mobile
>>> >
>>> > > On Mar 7, 2014, at 8:28 PM, Steven Roberts <strobert at strobe.net>
>>> wrote:
>>> > >
>>> > > what os,arch are you running your pulp server on?
>>> > >
>>> > > I am on a RHEL 6 (64bit) box with pulp 2.3.1-1 package and my sync's
>>> > > of RH CDN are working.
>>> > >
>>> > > I have feed-cert and feed-key (both set to the same .pem I downloaded
>>> > > from RH using the instructions in the pulp guide).
>>> > >
>>> > > I did just look and I am setting the feed-ca-cert to a redhat-uep.pem
>>> > > (and I also have skipping of DRPMS as we don't use them in our env)
>>> > >
>>> > > Steve
>>> > >
>>> > >> On Fri, Mar 07, 2014 at 04:50:21PM -0500, Christina Plummer wrote:
>>> > >> Update - I was able to use curl to download the repomd.xml file
>>> that Pulp
>>> > >> seems to be choking on.  So I am definitely thinking this is a Pulp
>>> 2.3
>>> > >> problem.
>>> > >>
>>> > >> This worked:
>>> > >> sudo curl -v
>>> > >>
>>> https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml--cacert
>>> > >> /etc/rhsm/ca/redhat-uep.pem --cert
>>> > >> /etc/pki/entitlement/1545770057920900266.pem --key
>>> > >> /etc/pki/entitlement/1545770057920900266-key.pem
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> > >> On Fri, Mar 7, 2014 at 4:02 PM, Christina Plummer <
>>> cplummer at gmail.com>wrote:
>>> > >>
>>> > >>> I've been working with Pulp 2.1.3 for several months, and decided
>>> that I
>>> > >>> wanted to get 2.3.1 stood up on a new server and migrate over to
>>> it.
>>> > >>> Unfortunately, I have not been able to get Pulp 2.3.1 to sync from
>>> the Red
>>> > >>> Hat channels.  Here is the error I get:
>>> > >>> Downloading metadata...
>>> > >>> [\]
>>> > >>> ... failed
>>> > >>>
>>> > >>> HTTPSConnectionPool(host='cdn.redhat.com', port=443): Max retries
>>> > >>> exceeded with
>>> > >>> url:
>>> /content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml
>>> > >>> (Caused
>>> > >>> by <class 'socket.error'>: [Errno 104] Connection reset by peer)
>>> > >>>
>>> > >>> I don't believe I have a network or subscription/entitlement issue,
>>> > >>> because I am able to use yum to update packages from
>>> cdn.redhat.com.  I
>>> > >>> set up my Pulp 2.3.1 repos in the same way as I have them on my
>>> 2.1.3
>>> > >>> server, e.g.
>>> > >>>
>>> > >>> sudo pulp-admin rpm repo create --repo-id=live-rhel6-x86_64
>>> > >>> --description="RHEL6 x86_64 Latest"
>>> > >>> --feed-cert=/etc/pki/entitlement/1545770057920900266.pem
>>> > >>> --feed-key=/etc/pki/entitlement/1545770057920900266-key.pem --feed=
>>> https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os
>>> > >>> --retain-old-count=1<
>>> https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os--retain-old-count=1>--validate=true
>>> --relative-url=rhel6/x86_64 --serve-http=true
>>> > >>> --serve-https=false
>>> > >>> --gpg-key=/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-legacy-release
>>> > >>> I am still able to sync from RHN to my Pulp 2.1.3 server, so there
>>> doesn't
>>> > >>> seem to be an issue with Red Hat itself.
>>> > >>>
>>> > >>> It seems like an SSL error, but I can't figure out what it would
>>> be... I
>>> > >>> tried adding --feed-ca-cert=/etc/rhsm/ca/redhat-uep.pem, but that
>>> didn't
>>> > >>> seem to have any effect (and hasn't been needed on my 2.1.3
>>> server).
>>> > >>>
>>> > >>> Any ideas?  Has anyone else got syncing from cdn.redhat.comworking on
>>> > >>> Pulp 2.3.1?
>>> > >>>
>>> > >>> Thanks,
>>> > >>> Christina
>>> > >
>>> > >> _______________________________________________
>>> > >> Pulp-list mailing list
>>> > >> Pulp-list at redhat.com
>>> > >> https://www.redhat.com/mailman/listinfo/pulp-list
>>> > >
>>> >
>>>
>>
>>
>
>
> _______________________________________________
> Pulp-list mailing listPulp-list at redhat.comhttps://www.redhat.com/mailman/listinfo/pulp-list
>
>
> --
> Florian Sachs
> Bundesministerium für Landesverteidigung und Sport
> Führungsunterstützungszentrum / IKT-Te / HW&SysSW / SE2VE
> Stiftgasse 2a 1070, Wien
> Postadresse: Rossauer Lände 1, 1090 Wien
> Tel.: +43 50201 10 33466
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20140311/cd1ec623/attachment.htm>

More information about the Pulp-list mailing list