[Pulp-list] Qpid SSL on Pulp 2.4

Gavin Jones gavinj84 at gmail.com
Tue Oct 28 22:24:02 UTC 2014 

Hey Jason,
                 Thanks for the info, I am still a big time newbie on
understanding intermediary  SSL etc.

If I am understanding correctly, On the pulp host I would have to create my
own root ca with instructions like this:
https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/

sign the Pulp Root CA with my internal MS root CA cert ? Or would I just
concatenate both the MS Internal Root CA and the Pulp Linux root CA into a
chain as you have specified above?

Sorry I am big time newbie at this, or would it be easier to just downgrade
to a safer version of PULP?

Thanks for your time.

On Wed, Oct 29, 2014 at 12:04 AM, Ashby, Jason (IMS) <AshbyJ at imsweb.com>
wrote:

> I'm all squared away now with my certs.  I CC'ed Gavin since he was having
> similar issues with a similar intermediary setup. Here are some notes that
> may help others, and one of them seems like a bug in verify_cert, or at
> least a bug with my setup.
>
>
> I had to create a chain cert for ssl_ca_certificate:
>
> # /etc/pulp/server.conf
> [security]
> cacert: /etc/pki/pulp_certs/pulpca.crt
> cakey: /etc/pki/pulp_certs/pulpca.key
> ssl_ca_certificate: /etc/pki/pulp_certs/pulpca_chain.crt
>
> The chain cert was created by concatenating my company's root CA and the
> intermediary CA (the pulp CA which was signed by the root CA):
>
> cat rootca.cer pulpca.crt > pulpca_chain.crt
>
> You can get your Microsoft-based root CA (rootca.cer above) from the
> certsrv application:
>
> - Download a CA certificate, certificate chain, or CRL
> - click link for "To trust certificates issued from this certification
> authority, install this CA certificate."
>
>
> Add your root and intermediary CA's to system CA bundle (copy
> ca-bundle.crt out to all consumers too):
>
> openssl x509 -in /etc/pki/pulp_certs/rootca.crt -text >>
> /etc/pki/tls/certs/ca-bundle.crt
> openssl x509 -in /etc/pki/pulp_certs/pulpca.crt -text >>
> /etc/pki/tls/certs/ca-bundle.crt
>
>
> In addition, I found that certificates could not be verified against the
> intermediary CA alone.  I had to make the following change to verify_cert
> in order to get M2Crypto to use the chain (specified in server.conf
> ssl_ca_certificate):
>
>
> #
> /usr/lib/python2.6/site-packages/pulp/server/managers/auth/cert/cert_generator.py
>     def verify_cert(self, cert_pem):
>         '''
>         Ensures the given certificate can be verified against the server's
> CA.
>
>         @param cert_pem: PEM encoded certificate to be verified
>         @type  cert_pem: string
>
>         @return: True if the certificate is successfully verified against
> the CA; False otherwise
>         @rtype:  boolean
>         '''
>
>         # M2Crypto doesn't support verifying a cert against a CA, so call
> out to openssl
>         # ca_cert = config.config.get('security', 'cacert')
>         # FIX - Use CA chain in order to support the use of an
> intermediary CA aka sub-CA
>         ca_cert = config.config.get('security', 'ssl_ca_certificate')
>
>         cmd = 'openssl verify -CAfile %s' % ca_cert
>         p = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
>                          stdout=subprocess.PIPE, stderr=subprocess.PIPE)
>
>
>
> Hope that helps. I'll try to file a bug with more info later.  Right now
> I've got some catching up to do :).
>
> -----Original Message-----
> From: pulp-list-bounces at redhat.com [mailto:pulp-list-bounces at redhat.com]
> On Behalf Of Brian Bouterse
> Sent: Friday, October 24, 2014 3:22 PM
> To: Randy Barlow
> Cc: pulp-list at redhat.com
> Subject: Re: [Pulp-list] Qpid SSL on Pulp 2.4
>
> By using the pulp-qpid-ssl-cfg and using your own CA and key, it then used
> the CA to create a certificate for the broker and the client, and it also
> adds them to an NSS database.
>
> Interestingly, your server.conf doesn't specify the same CA you told
> pulp-qpid-ssl-cfg to use. I expected cacert to be
> /etc/pki/pulp_certs/pulpca.crt for both the [messaging] and [tasks]
> section. Any changes to that file requires a restart of all the services.
> What does that do?
>
> As another thing to try, could you try having the script generate its own
> CA and use the recommended settings it provides. You could give it a
> different root folder so you could have the certs side-by-side in the
> filesystem. This would let us troubleshoot from a known working state with
> SSL working just not with a cert you provide. Just a thought about how we
> can eliminate all other concerns besides a cert that you are providing.
>
> -Brian
>
>
> ----- Original Message -----
> > From: "Randy Barlow" <rbarlow at redhat.com>
> > To: "Jeff Ortel" <jortel at redhat.com>, pulp-list at redhat.com
> > Sent: Friday, October 24, 2014 2:55:00 PM
> > Subject: Re: [Pulp-list] Qpid SSL on Pulp 2.4
> >
> > On 10/24/2014 02:40 PM, Ashby, Jason (IMS) wrote:
> > > Those certs are the ones generated by /usr/bin/pulp-qpid-ssl-cfg.  I
> > > accepted the defaults for that script, except for the CA cert and key
> > > which I supplied with:
> > >
> > > Please specify a CA.  Generated if not specified.
> > >   Enter a path: /etc/pki/pulp_certs/pulpca.crt
> > >
> > > Please specify the CA key
> > >   Enter a path: /etc/pki/pulp_certs/pulpca.key
> > >
> > > Does that answer your questions?
> >
> > I'm not familiar with pulp-qpid-ssl-cfg myself. Jeff, do you know if
> > this is correct?
> >
> >
> > _______________________________________________
> > Pulp-list mailing list
> > Pulp-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pulp-list
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
>
> ________________________________
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141029/91109780/attachment.htm>

More information about the Pulp-list mailing list