[Pulp-list] Qpid SSL on Pulp 2.4
Gavin Jones
gavinj84 at gmail.com
Wed Oct 29 05:10:31 UTC 2014
Jason Thanks for your explanation things are kind of clicking let me
rebuild and rewrite out my instructions and I will have another go.
Either way thanks for your explanations and effort on this.
On Wed, Oct 29, 2014 at 12:27 PM, Ashby, Jason (IMS) <AshbyJ at imsweb.com>
wrote:
> I’m no expert here either, but this is how I understand intermediary SSL
> certificates, so someone correct me if this is misleading!!
>
>
>
> Essentially, there is only one root CA for your organization. In this
> case, your root CA cert is the one you’ve set up with Microsoft Active
> Directory Certificate Services. You use this root CA to sign your
> intermediary CA. This intermediary CA will then be used to sign any certs
> used for pulp.
>
>
>
> The benefit of using an intermediary CA is so you don’t have to directly
> issue certificates with your root CA. You are keeping your root CA safe
> and essentially “offline”, and it reduces the risk of it being
> compromised. If the root CA is compromised, then all certificates it has
> issued have become untrustworthy. So it adds an extra layer of security.
>
>
>
> Related:
> https://support.globalsign.com/customer/portal/articles/1217450-overview---intermediate-certificates
>
>
>
> Here are my notes:
>
>
>
> cd /etc/pki/
>
> sudo mkdir pulp_certs
>
> cd pulp_certs
>
>
>
> # create RSA key for intermediary CA
>
> sudo openssl genrsa -out pulpca.key 2048
>
>
>
> # create certificate signing request
>
> # Submit a request (base 64 encoded) via Microsoft AD Certificate
> Services. Paste csr into box and download base 64 encoded certificate.
>
> # CN=pulp
>
> sudo openssl req -new -key pulpca.key -out pulpca.csr
>
> # copy the resulting certnew.cer to /etc/pki/pulp_certs/pulpca.crt
>
>
>
>
>
> Create SSL cert for the pulp service which is run via Apache, using our
> intermediary CA cert to sign it:
>
> sudo openssl genrsa -out pulp.example.com.key 2048
>
> # using pulp.example.com as the CN:
>
> sudo openssl req -new -key pulp.example.com.key -out pulp.example.com.csr
>
> sudo openssl x509 -req -days 3650 -CA pulpca.crt -CAkey pulpca.key
> -set_serial 01 -in pulp.example.com.csr -out pulp.example.com.crt
>
>
>
>
>
> Save the root CA chain to the /etc/pki/pulp_certs directory, which you get
> from MS AD cert services:
>
>
>
> - Download a CA certificate, certificate chain, or CRL
>
> - click link for "To trust certificates issued from this certification
> authority, install this CA certificate."
>
>
>
> Then I put the root and intermediary certs into a chain file. The chain I
> used for the ssl_ca_certificate setting in /etc/pulp/server.conf, but as
> Randy suggested, this is not necessary if you set something in Apache…I’d
> have to look back.
>
>
>
> sudo su - # go full root to cat to file
>
> cd /etc/pki/pulp_certs
>
> cat myrootca.crt pulpca.crt > pulpca_chain.crt
>
>
>
> I also added them to my ca-bundle.crt and passed that to all my Linux
> systems so they trust my root CA. Randy also provided great instructions
> on why you should use trust anchors instead,which I plan to implement/fix
> soon. But for completeness:
>
>
>
> openssl x509 -in /etc/pki/pulp_certs/myrootca.crt -text >>
> /etc/pki/tls/certs/ca-bundle.crt
>
>
>
>
>
> Stick with Pulp 2.4. Above were my notes from 2.3, so setting up your SSL
> certs should be no different with 2.3 vs 2.4. Not sure what happened with
> my upgrade, but something got corrupted, so I just built 2.4 fresh.
>
>
>
> Cheers,
>
> Jason
>
>
>
>
>
> *From:* Gavin Jones [mailto:gavinj84 at gmail.com]
> *Sent:* Tuesday, October 28, 2014 6:24 PM
> *To:* Ashby, Jason (IMS)
> *Cc:* Brian Bouterse; Randy Barlow; pulp-list at redhat.com
> *Subject:* Re: Qpid SSL on Pulp 2.4
>
>
>
> Hey Jason,
> Thanks for the info, I am still a big time newbie on
> understanding intermediary SSL etc.
>
>
>
> If I am understanding correctly, On the pulp host I would have to create
> my own root ca with instructions like this:
> https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/
>
>
> sign the Pulp Root CA with my internal MS root CA cert ? Or would I just
> concatenate both the MS Internal Root CA and the Pulp Linux root CA into a
> chain as you have specified above?
>
>
>
> Sorry I am big time newbie at this, or would it be easier to just
> downgrade to a safer version of PULP?
>
>
>
> Thanks for your time.
>
>
>
> On Wed, Oct 29, 2014 at 12:04 AM, Ashby, Jason (IMS) <AshbyJ at imsweb.com>
> wrote:
>
> I'm all squared away now with my certs. I CC'ed Gavin since he was having
> similar issues with a similar intermediary setup. Here are some notes that
> may help others, and one of them seems like a bug in verify_cert, or at
> least a bug with my setup.
>
>
> I had to create a chain cert for ssl_ca_certificate:
>
> # /etc/pulp/server.conf
> [security]
> cacert: /etc/pki/pulp_certs/pulpca.crt
> cakey: /etc/pki/pulp_certs/pulpca.key
> ssl_ca_certificate: /etc/pki/pulp_certs/pulpca_chain.crt
>
> The chain cert was created by concatenating my company's root CA and the
> intermediary CA (the pulp CA which was signed by the root CA):
>
> cat rootca.cer pulpca.crt > pulpca_chain.crt
>
> You can get your Microsoft-based root CA (rootca.cer above) from the
> certsrv application:
>
> - Download a CA certificate, certificate chain, or CRL
> - click link for "To trust certificates issued from this certification
> authority, install this CA certificate."
>
>
> Add your root and intermediary CA's to system CA bundle (copy
> ca-bundle.crt out to all consumers too):
>
> openssl x509 -in /etc/pki/pulp_certs/rootca.crt -text >>
> /etc/pki/tls/certs/ca-bundle.crt
> openssl x509 -in /etc/pki/pulp_certs/pulpca.crt -text >>
> /etc/pki/tls/certs/ca-bundle.crt
>
>
> In addition, I found that certificates could not be verified against the
> intermediary CA alone. I had to make the following change to verify_cert
> in order to get M2Crypto to use the chain (specified in server.conf
> ssl_ca_certificate):
>
>
> #
> /usr/lib/python2.6/site-packages/pulp/server/managers/auth/cert/cert_generator.py
> def verify_cert(self, cert_pem):
> '''
> Ensures the given certificate can be verified against the server's
> CA.
>
> @param cert_pem: PEM encoded certificate to be verified
> @type cert_pem: string
>
> @return: True if the certificate is successfully verified against
> the CA; False otherwise
> @rtype: boolean
> '''
>
> # M2Crypto doesn't support verifying a cert against a CA, so call
> out to openssl
> # ca_cert = config.config.get('security', 'cacert')
> # FIX - Use CA chain in order to support the use of an
> intermediary CA aka sub-CA
> ca_cert = config.config.get('security', 'ssl_ca_certificate')
>
> cmd = 'openssl verify -CAfile %s' % ca_cert
> p = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
> stdout=subprocess.PIPE, stderr=subprocess.PIPE)
>
>
>
> Hope that helps. I'll try to file a bug with more info later. Right now
> I've got some catching up to do :).
>
> -----Original Message-----
> From: pulp-list-bounces at redhat.com [mailto:pulp-list-bounces at redhat.com]
> On Behalf Of Brian Bouterse
> Sent: Friday, October 24, 2014 3:22 PM
> To: Randy Barlow
> Cc: pulp-list at redhat.com
> Subject: Re: [Pulp-list] Qpid SSL on Pulp 2.4
>
> By using the pulp-qpid-ssl-cfg and using your own CA and key, it then used
> the CA to create a certificate for the broker and the client, and it also
> adds them to an NSS database.
>
> Interestingly, your server.conf doesn't specify the same CA you told
> pulp-qpid-ssl-cfg to use. I expected cacert to be
> /etc/pki/pulp_certs/pulpca.crt for both the [messaging] and [tasks]
> section. Any changes to that file requires a restart of all the services.
> What does that do?
>
> As another thing to try, could you try having the script generate its own
> CA and use the recommended settings it provides. You could give it a
> different root folder so you could have the certs side-by-side in the
> filesystem. This would let us troubleshoot from a known working state with
> SSL working just not with a cert you provide. Just a thought about how we
> can eliminate all other concerns besides a cert that you are providing.
>
> -Brian
>
>
> ----- Original Message -----
> > From: "Randy Barlow" <rbarlow at redhat.com>
> > To: "Jeff Ortel" <jortel at redhat.com>, pulp-list at redhat.com
> > Sent: Friday, October 24, 2014 2:55:00 PM
> > Subject: Re: [Pulp-list] Qpid SSL on Pulp 2.4
> >
> > On 10/24/2014 02:40 PM, Ashby, Jason (IMS) wrote:
> > > Those certs are the ones generated by /usr/bin/pulp-qpid-ssl-cfg. I
> > > accepted the defaults for that script, except for the CA cert and key
> > > which I supplied with:
> > >
> > > Please specify a CA. Generated if not specified.
> > > Enter a path: /etc/pki/pulp_certs/pulpca.crt
> > >
> > > Please specify the CA key
> > > Enter a path: /etc/pki/pulp_certs/pulpca.key
> > >
> > > Does that answer your questions?
> >
> > I'm not familiar with pulp-qpid-ssl-cfg myself. Jeff, do you know if
> > this is correct?
> >
> >
> > _______________________________________________
> > Pulp-list mailing list
> > Pulp-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pulp-list
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
>
> ________________________________
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>
>
>
> ------------------------------
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141029/297f7c6c/attachment.htm>
More information about the Pulp-list
mailing list