[Pulp-list] Qpid SSL on Pulp 2.4
gavinj84 at gmail.com
Tue Oct 28 22:24:02 UTC 2014
Thanks for the info, I am still a big time newbie on
understanding intermediary SSL etc.
If I am understanding correctly, On the pulp host I would have to create my
own root ca with instructions like this:
sign the Pulp Root CA with my internal MS root CA cert ? Or would I just
concatenate both the MS Internal Root CA and the Pulp Linux root CA into a
chain as you have specified above?
Sorry I am big time newbie at this, or would it be easier to just downgrade
to a safer version of PULP?
Thanks for your time.
On Wed, Oct 29, 2014 at 12:04 AM, Ashby, Jason (IMS) <AshbyJ at imsweb.com>
> I'm all squared away now with my certs. I CC'ed Gavin since he was having
> similar issues with a similar intermediary setup. Here are some notes that
> may help others, and one of them seems like a bug in verify_cert, or at
> least a bug with my setup.
> I had to create a chain cert for ssl_ca_certificate:
> # /etc/pulp/server.conf
> cacert: /etc/pki/pulp_certs/pulpca.crt
> cakey: /etc/pki/pulp_certs/pulpca.key
> ssl_ca_certificate: /etc/pki/pulp_certs/pulpca_chain.crt
> The chain cert was created by concatenating my company's root CA and the
> intermediary CA (the pulp CA which was signed by the root CA):
> cat rootca.cer pulpca.crt > pulpca_chain.crt
> You can get your Microsoft-based root CA (rootca.cer above) from the
> certsrv application:
> - Download a CA certificate, certificate chain, or CRL
> - click link for "To trust certificates issued from this certification
> authority, install this CA certificate."
> Add your root and intermediary CA's to system CA bundle (copy
> ca-bundle.crt out to all consumers too):
> openssl x509 -in /etc/pki/pulp_certs/rootca.crt -text >>
> openssl x509 -in /etc/pki/pulp_certs/pulpca.crt -text >>
> In addition, I found that certificates could not be verified against the
> intermediary CA alone. I had to make the following change to verify_cert
> in order to get M2Crypto to use the chain (specified in server.conf
> def verify_cert(self, cert_pem):
> Ensures the given certificate can be verified against the server's
> @param cert_pem: PEM encoded certificate to be verified
> @type cert_pem: string
> @return: True if the certificate is successfully verified against
> the CA; False otherwise
> @rtype: boolean
> # M2Crypto doesn't support verifying a cert against a CA, so call
> out to openssl
> # ca_cert = config.config.get('security', 'cacert')
> # FIX - Use CA chain in order to support the use of an
> intermediary CA aka sub-CA
> ca_cert = config.config.get('security', 'ssl_ca_certificate')
> cmd = 'openssl verify -CAfile %s' % ca_cert
> p = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
> stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> Hope that helps. I'll try to file a bug with more info later. Right now
> I've got some catching up to do :).
> -----Original Message-----
> From: pulp-list-bounces at redhat.com [mailto:pulp-list-bounces at redhat.com]
> On Behalf Of Brian Bouterse
> Sent: Friday, October 24, 2014 3:22 PM
> To: Randy Barlow
> Cc: pulp-list at redhat.com
> Subject: Re: [Pulp-list] Qpid SSL on Pulp 2.4
> By using the pulp-qpid-ssl-cfg and using your own CA and key, it then used
> the CA to create a certificate for the broker and the client, and it also
> adds them to an NSS database.
> Interestingly, your server.conf doesn't specify the same CA you told
> pulp-qpid-ssl-cfg to use. I expected cacert to be
> /etc/pki/pulp_certs/pulpca.crt for both the [messaging] and [tasks]
> section. Any changes to that file requires a restart of all the services.
> What does that do?
> As another thing to try, could you try having the script generate its own
> CA and use the recommended settings it provides. You could give it a
> different root folder so you could have the certs side-by-side in the
> filesystem. This would let us troubleshoot from a known working state with
> SSL working just not with a cert you provide. Just a thought about how we
> can eliminate all other concerns besides a cert that you are providing.
> ----- Original Message -----
> > From: "Randy Barlow" <rbarlow at redhat.com>
> > To: "Jeff Ortel" <jortel at redhat.com>, pulp-list at redhat.com
> > Sent: Friday, October 24, 2014 2:55:00 PM
> > Subject: Re: [Pulp-list] Qpid SSL on Pulp 2.4
> > On 10/24/2014 02:40 PM, Ashby, Jason (IMS) wrote:
> > > Those certs are the ones generated by /usr/bin/pulp-qpid-ssl-cfg. I
> > > accepted the defaults for that script, except for the CA cert and key
> > > which I supplied with:
> > >
> > > Please specify a CA. Generated if not specified.
> > > Enter a path: /etc/pki/pulp_certs/pulpca.crt
> > >
> > > Please specify the CA key
> > > Enter a path: /etc/pki/pulp_certs/pulpca.key
> > >
> > > Does that answer your questions?
> > I'm not familiar with pulp-qpid-ssl-cfg myself. Jeff, do you know if
> > this is correct?
> > _______________________________________________
> > Pulp-list mailing list
> > Pulp-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pulp-list
> Pulp-list mailing list
> Pulp-list at redhat.com
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pulp-list