[Pulp-list] My Failed PULP setup aka SSL Errors
gavinj84 at gmail.com
Fri Oct 31 06:39:58 UTC 2014
Thanks for your reply, yes you have some good points.
openssl x509 -in rootca.crt -noout -text | grep -i Version:
Version: 3 (0x2)
openssl x509 -in pulp01.rap.local.crt -noout -text | grep -i Version:
Version: 1 (0x0)
openssl x509 -in pulpca.crt -noout -text | grep -i Version:
Version: 3 (0x2)
This step: openssl x509 -req -days 3650 -CA pulpca.crt -CAkey pulpca.key
-set_serial 01 -in pulp01.rap.local.csr -out pulp01.rap.local.crt produces
an SSLv1 Cert NOT an SSLv3 Cert... need to modify this somehow...
I will use these steps once the above is fixed
cp -v /etc/pki/pulp_certs/rootca.crt /etc/pki/ca-trust/source/anchors/
This time I located the has from rootca.crt, in
- I will modify this for the pulp_ca_chain file as you explained.
- After some SELinux fun with the certs:
setsebool -P httpd_read_user_content 1 etc.
systemctl restart httpd
https://pulp01.rap.local = shows up as CA Signed from the Intermediate CA.
So this is now working fine.
Understood will not touch any of the certs in: /etc/pki/pulp.
Went to create the repo:
pulp-admin -uadmin -padmin rpm repo create --repo-id rhel-7-server \
--feed https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os \
--display-name "rhel-7-server" --description "RHEL 7 YUM Files"
- went to sync the repo :
pulp-admin rpm repo sync run --repo-id=rhel-7-server
- same error:
I have not touched these files certs as they should be overriden by Apache?
host = pulp01.rap.local
verify_ssl = True
ca_path = /etc/pki/tls/certs/ca-bundle.crt
Leave the above alone same error
2014-10-31 17:29:24,249 - ERROR - Client-side exception occurred
Traceback (most recent call last):
Should I be modifying:
Is there anything obvious now outstanding I have diabled selinux in the
Also Even If I want to skip SSL, I still have grief:
verify_ssl = False
systemctl restart httpd.service = same error.
I have even checked in the home directory of the user I am using:
and there is NO:
Which could override the global settings.
Thanks for your help so far.
On Fri, Oct 31, 2014 at 12:22 AM, Randy Barlow <rbarlow at redhat.com> wrote:
> On 10/29/2014 07:18 PM, Gavin Jones wrote:
> > openssl req -new -key pulpca.key -out pulpca.csr
> > *# On the MS Root CA*
> > http://localrootca/certsrv/
> > Request a Certificate > advanced certificate request >
> > Paste the pulpca.csr Into the Saved Request Section >
> > Certifcate Template: Web Server
> > Additional Attributes: Left this blank
> > - Base64 > Download Certificate.
> > scp certnew.cer as user admin across to pulp01
> > cd /home/admin
> > chown -v root.root certnew.cer
> > cp -v /home/admin/certnew.cer /etc/pki/pulp_certs/pulpca.crt
> One thing you may have missed in the above steps is that intermediate
> certificates must be SSL v3 certificates that have the CA constraint set
> to true. I'm not familiar with Microsoft, so I can't tell you how to do
> it. However, if you want to check if a certificate is a v3 cert, you can
> do something like this:
> [rbarlow at where ~]$ openssl x509 -in
> Documents/certificates/grapefruit-CA.pem -noout -text
> Version: 3 (0x2)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> X509v3 Authority Key Identifier:
> X509v3 Basic Constraints:
> X509v3 Key Usage:
> Certificate Sign, CRL Sign
> Netscape Cert Type:
> SSL CA, S/MIME CA
> Note that the certificate listed itself as Version 3, and also note the
> X509v3 extensions section.
> > cat rootca.crt pulpca.crt > pulpca_chain.crt
> IIRC, a lot of software expects the chain to be in the other order, but
> perhaps not all software cares about this.
> > As per Randy's email: to add the certs in to the ca-bundle.crt to
> > survive the RHEL package updates to the CA bundle.
> > man update-ca-trust as explained in QUICK HELP 1:
> > cp -v /etc/pki/pulp_certs/rootca.crt /etc/pki/ca-trust/source/anchors/
> > update-ca-trust extract && echo $?
> You may need to run update-ca-trust enable one time before extract will
> > vim /etc/httpd/conf.d/ssl.conf
> > SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt = This
> > should stay the same as we just updated our CA Trust???
> Changing this value will conflict with Pulp. If you look at
> /etc/httpd/conf.d/pulp.conf, you will see that we also set this setting.
> This is the CA that Pulp uses to sign client certificates upon login
> with pulp-admin. I would recommend leaving it as it was.
> I noted that you never mentioned having done anything with your
> pulp_ca_chain file. You should set the mod_ssl SSLCertificateChainFile
> Directive to be a path to that file in /etc/httpd/conf.d/ssl.conf if
> you want Apache to advertise the chain. Without this, there is no way
> for clients to validate that httpd's cert is trusted all the way to a
> root CA.
> > Now Apache is telling me the SSL is self signed and should not be
> > trusted.... = Certificate Fail
> I believe this is due to the combination of the above issues.
> > My next question is should I be using separate SSL Certs for Apache and
> > PULP? As Pulp should read from Apache's SSL Certs I'd assume they would
> > be the same?
> Pulp is served by httpd using the certificates specified in
> /etc/httpd/conf.d/ssl.conf. Pulp itself also has some internal
> certificates it uses in /etc/pki/pulp, but you should never need to mess
> with those and I would recommend you leave them as is.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pulp-list