[Pulp-list] My Failed PULP setup aka SSL Errors

Randy Barlow rbarlow at redhat.com
Thu Oct 30 13:22:14 UTC 2014

On 10/29/2014 07:18 PM, Gavin Jones wrote:
> openssl req -new -key pulpca.key -out pulpca.csr
> *# On the MS Root CA*
> http://localrootca/certsrv/
> Request a Certificate > advanced certificate request > 
> Paste the pulpca.csr Into the Saved Request Section > 
> Certifcate Template: Web Server
> Additional Attributes: Left this blank
> - Base64 > Download Certificate.
> scp certnew.cer as user admin across to pulp01
> cd /home/admin
> chown -v root.root certnew.cer
> cp -v /home/admin/certnew.cer /etc/pki/pulp_certs/pulpca.crt

One thing you may have missed in the above steps is that intermediate
certificates must be SSL v3 certificates that have the CA constraint set
to true. I'm not familiar with Microsoft, so I can't tell you how to do
it. However, if you want to check if a certificate is a v3 cert, you can
do something like this:

[rbarlow at where ~]$ openssl x509 -in
Documents/certificates/grapefruit-CA.pem -noout -text
        Version: 3 (0x2)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:


            X509v3 Basic Constraints:
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            Netscape Cert Type:
                SSL CA, S/MIME CA

Note that the certificate listed itself as Version 3, and also note the
X509v3 extensions section.

> cat rootca.crt pulpca.crt > pulpca_chain.crt

IIRC, a lot of software expects the chain to be in the other order, but
perhaps not all software cares about this.

> As per Randy's email: to add the certs in to the ca-bundle.crt to
> survive the RHEL package updates to the CA bundle.
> man update-ca-trust as explained in QUICK HELP 1: 
> cp -v /etc/pki/pulp_certs/rootca.crt /etc/pki/ca-trust/source/anchors/
> update-ca-trust extract && echo $?

You may need to run update-ca-trust enable one time before extract will

> vim /etc/httpd/conf.d/ssl.conf
> SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt         = This
> should stay the same as we just updated our CA Trust???

Changing this value will conflict with Pulp. If you look at
/etc/httpd/conf.d/pulp.conf, you will see that we also set this setting.
This is the CA that Pulp uses to sign client certificates upon login
with pulp-admin. I would recommend leaving it as it was.

I noted that you never mentioned having done anything with your
pulp_ca_chain file. You should set the mod_ssl SSLCertificateChainFile
Directive[0] to be a path to that file in /etc/httpd/conf.d/ssl.conf if
you want Apache to advertise the chain. Without this, there is no way
for clients to validate that httpd's cert is trusted all the way to a
root CA.

> Now Apache is telling me the SSL is self signed and should not be
> trusted.... = Certificate Fail

I believe this is due to the combination of the above issues.

> My next question is should I be using separate SSL Certs for Apache and
> PULP? As Pulp should read from Apache's SSL Certs I'd assume they would
> be the same?

Pulp is served by httpd using the certificates specified in
/etc/httpd/conf.d/ssl.conf. Pulp itself also has some internal
certificates it uses in /etc/pki/pulp, but you should never need to mess
with those and I would recommend you leave them as is.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141030/aeddda4c/attachment.sig>

More information about the Pulp-list mailing list