[Pulp-list] Pulp v2.4 with SSL

Randy Barlow rbarlow at redhat.com
Thu Sep 25 19:21:22 UTC 2014 

Hi Trey,

On 09/25/2014 12:12 PM, Trey Dockendorf wrote:
> I'd like to use verify_ssl, but unsure how to go about this.
> 
> I use Puppet for my infrastructure, and am comfortable re-using that
> CA for Pulp, but unsure how to make that work in Pulp.
> 
> My other option would be to get a trusted SSL cert from my University.
> My University (where these servers run) provides InCommon SSL certs.
> Again, unsure how to configure Pulp if I get a certificate that's
> trusted.

The easiest option is to configure Apache to serve Pulp with an SSL
certificate that is signed by a CA that is already trusted by all the
machines that will interact with Pulp. If for some reason you don't want
to acquire a signature from a root CA that is already trusted, you can
also make your own CA but you will have to install that CA certificate
on all machines that want to interact with Pulp over SSL.

> My concern is how Pulp interacts with SSL in terms of consumers /
> clients.  Does Pulp have to be able to sign the clients, or are the
> clients expected to have a certificate from the CA used by Pulp?
> Getting a certificate from my University for every client would be
> difficult and time consuming, and impossible to automate.

Are you asking about protected repositories that require client
certificates? Non-protected repositories do not require the clients to
present certificates. If the clients are accessing the repositories over
SSL, they will simply need to have the appropriate root CA certificates
installed.

> Using Puppet certificates can be automated, as I do that currently for
> my LDAP setup, but if Pulp is expected to sign certificates, that
> would be an issue, at least in my limited understanding.

Pulp does sign client certificates that are used for authentication. For
example, this is how pulp-admin login works. However, Pulp can use its
own CA for this activity that is separate from the CA that was used to
sign the certificate that Apache uses.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20140925/0f4c76d8/attachment.sig>

More information about the Pulp-list mailing list