[Pulp-list] My Failed PULP setup aka SSL Errors

Gavin Jones gavinj84 at gmail.com
Fri Oct 31 06:39:58 UTC 2014 

Hey Randy,
       Thanks for your reply, yes you have some good points.

openssl x509 -in rootca.crt -noout -text  | grep -i   Version:
        Version: 3 (0x2)
openssl x509 -in pulp01.rap.local.crt -noout -text | grep -i   Version:
        Version: 1 (0x0)

openssl x509 -in pulpca.crt -noout -text | grep -i   Version:
        Version: 3 (0x2)
This step: openssl x509 -req -days 3650 -CA pulpca.crt -CAkey pulpca.key
-set_serial 01 -in pulp01.rap.local.csr -out pulp01.rap.local.crt produces
an SSLv1 Cert NOT an SSLv3 Cert... need to modify this somehow...


I will use these steps once the above is fixed

cp -v /etc/pki/pulp_certs/rootca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust enable
update-ca-trust extract

This time I located the has from rootca.crt, in
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.

- I will modify this for the pulp_ca_chain file as you explained.

vim /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/pulp_certs/pulpca.crt
SSLCertificateKeyFile /etc/pki/pulp_certs/pulpca.key
SSLCACertificateFile /etc/pki/pulp_certs/pulpca_chain.crt

- After some SELinux fun with the certs:

setsebool -P httpd_read_user_content 1 etc.

systemctl restart httpd

https://pulp01.rap.local = shows up as CA Signed from the Intermediate CA.
So this is now working fine.

Understood will not touch any of the certs in: /etc/pki/pulp.

Went to create the repo:

pulp-admin -uadmin -padmin rpm repo create --repo-id rhel-7-server \
--feed https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os \
--feed-ca-cert=/etc/rhsm/ca/redhat-uep.pem \
--feed-key=/etc/pki/entitlement/66666666-key.pem \
--feed-cert=/etc/pki/entitlement/66666666.pem \
--display-name "rhel-7-server" --description "RHEL 7 YUM Files"

- went to sync the repo :

pulp-admin rpm repo sync run --repo-id=rhel-7-server

- same error:

I have not touched these files certs as they should be overriden by Apache?

vim /etc/pulp/server.conf

[security]
cacert: /etc/pki/pulp/ca.crt
cakey: /etc/pki/pulp/ca.key
ssl_ca_certificate: /etc/pki/pulp/ssl_ca.crt

vim /etc/pulp/admin/admin.conf

host = pulp01.rap.local
verify_ssl = True
ca_path = /etc/pki/tls/certs/ca-bundle.crt

Leave the above alone same error

2014-10-31 17:29:24,249 - ERROR - Client-side exception occurred
Traceback (most recent call last):


Should I be modifying:

/etc/pulp/server.conf
/etc/httpd/conf.d/pulp.conf
/etc/pulp/admin/admin.conf

Is there anything obvious now outstanding I have diabled selinux in the
meantime.


Also Even If I want to skip SSL, I still have grief:

vim /etc/pulp/admin/admin.conf
verify_ssl = False

systemctl restart httpd.service = same error.

I have even checked in the home directory of the user I am using:
and there is NO:

~/.pulp/admin.conf
~/.pulp/server.conf

Which could override the global settings.

Thanks for your help so far.

On Fri, Oct 31, 2014 at 12:22 AM, Randy Barlow <rbarlow at redhat.com> wrote:

> On 10/29/2014 07:18 PM, Gavin Jones wrote:
> > openssl req -new -key pulpca.key -out pulpca.csr
> >
> >
> > *# On the MS Root CA*
> >
> > http://localrootca/certsrv/
> >
> > Request a Certificate > advanced certificate request >
> >
> > Paste the pulpca.csr Into the Saved Request Section >
> >
> > Certifcate Template: Web Server
> >
> > Additional Attributes: Left this blank
> >
> > - Base64 > Download Certificate.
> >
> > scp certnew.cer as user admin across to pulp01
> >
> >
> > cd /home/admin
> >
> > chown -v root.root certnew.cer
> >
> > cp -v /home/admin/certnew.cer /etc/pki/pulp_certs/pulpca.crt
>
> One thing you may have missed in the above steps is that intermediate
> certificates must be SSL v3 certificates that have the CA constraint set
> to true. I'm not familiar with Microsoft, so I can't tell you how to do
> it. However, if you want to check if a certificate is a v3 cert, you can
> do something like this:
>
> [rbarlow at where ~]$ openssl x509 -in
> Documents/certificates/grapefruit-CA.pem -noout -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>     <snip>
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>                 C7:AF:E2:AC:53:E6:5F:60:D6:52:3B:61:83:02:9F:4F:5C:11:52:DB
>             X509v3 Authority Key Identifier:
>
> keyid:5C:88:1C:B7:DF:DC:A8:C1:19:D1:C2:26:E0:DD:4C:A7:91:EC:D7:F3
>
>             X509v3 Basic Constraints:
>                 CA:TRUE
>             X509v3 Key Usage:
>                 Certificate Sign, CRL Sign
>             Netscape Cert Type:
>                 SSL CA, S/MIME CA
>     <snip>
>
> Note that the certificate listed itself as Version 3, and also note the
> X509v3 extensions section.
>
> > cat rootca.crt pulpca.crt > pulpca_chain.crt
>
> IIRC, a lot of software expects the chain to be in the other order, but
> perhaps not all software cares about this.
>
> > As per Randy's email: to add the certs in to the ca-bundle.crt to
> > survive the RHEL package updates to the CA bundle.
> >
> > man update-ca-trust as explained in QUICK HELP 1:
> >
> > cp -v /etc/pki/pulp_certs/rootca.crt /etc/pki/ca-trust/source/anchors/
> > update-ca-trust extract && echo $?
>
> You may need to run update-ca-trust enable one time before extract will
> work.
>
> > vim /etc/httpd/conf.d/ssl.conf
> <snip>
> > SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt         = This
> > should stay the same as we just updated our CA Trust???
>
> Changing this value will conflict with Pulp. If you look at
> /etc/httpd/conf.d/pulp.conf, you will see that we also set this setting.
> This is the CA that Pulp uses to sign client certificates upon login
> with pulp-admin. I would recommend leaving it as it was.
>
> I noted that you never mentioned having done anything with your
> pulp_ca_chain file. You should set the mod_ssl SSLCertificateChainFile
> Directive[0] to be a path to that file in /etc/httpd/conf.d/ssl.conf if
> you want Apache to advertise the chain. Without this, there is no way
> for clients to validate that httpd's cert is trusted all the way to a
> root CA.
>
>
> > Now Apache is telling me the SSL is self signed and should not be
> > trusted.... = Certificate Fail
>
> I believe this is due to the combination of the above issues.
>
> > My next question is should I be using separate SSL Certs for Apache and
> > PULP? As Pulp should read from Apache's SSL Certs I'd assume they would
> > be the same?
>
> Pulp is served by httpd using the certificates specified in
> /etc/httpd/conf.d/ssl.conf. Pulp itself also has some internal
> certificates it uses in /etc/pki/pulp, but you should never need to mess
> with those and I would recommend you leave them as is.
>
> [0]
> https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141031/0bbe4476/attachment.htm>

More information about the Pulp-list mailing list