[Pulp-list] yum and ssl certificates

Cristian Falcas cristi.falcas at gmail.com
Fri Mar 13 16:00:37 UTC 2015 

On Fri, Mar 13, 2015 at 5:47 PM, Randy Barlow <rbarlow at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/13/2015 08:51 AM, Cristian Falcas wrote:
>> For a consumer that binds to a repo, yum will be configured with
>> ssl, but will not have any certificates defined. I don't know what
>> files should I put for sslclientcert and sslclientkey.
>
> Hello Cristian!
>
> You only need these setting configured if you are configuring the
> consumers to connect to a "protected" repository. If you do that, I
> believe Pulp should fill out those settings for you. Are you using a
> protected repository?

Pulp will set by default all repos to be protected. I'm trying to see
what needs to be done in order to use a default pulp installation.

It will define the http configuration for repos with:
    WSGIAccessScript /srv/pulp/repo_auth.wsgi
    SSLVerifyClient require

>
>> Also, can the "pulp-consumer rpm bind" command be used to set the
>> certificates also? Currently, with the default configuration of
>> pulp, all access is rejected.
>
> Yes, binding the consumer to the repository should configure those
> settings in the case that you have configured protection.
>
> I get the sense (not empirically) that not many of our users use
> repository protection. If you aren't doing that, perhaps there is a
> different issue happening. Can you share the specific error messages
> you are seeing?

The error is from the apache and it says something about
/srv/pulp/repo_auth.wsgi rejecting the connection.

This is the resul of binding to a repo:

 cat /etc/yum.repos.d/pulp.repo
#
# Pulp Repositories
# Managed by Pulp client
#

[pulp_beta]
name = pulp_beta
enabled = 1
sslverify = 0
gpgcheck = 0

Like you see, there are no certificates added. Also, I don't know
where are the certificates created.

>
> A wild guess on my part, but perhaps your consumer is simply missing
> the certificate authority that signed the httpd server's certificate,
> and is complaining about the insecure SSL connection? If that is so, I
> think I can help ☺

You lost me here :). I don't understand what you are saying. I have
ca_path set.to the default value (/etc/pki/tls/certs/ca-bundle.crt)


>
> - --
> Randy Barlow
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJVAwaaAAoJEIyFaKUJtmpippgP/3JDEOIWIar/8U6DB4Q9V7eG
> jAJFye3dfVWpLMcUqdMUrc8zW57tff2dIhDUvxcu2Lf49/u6ePooLEQH/prRKkfe
> VwryKE6Y65w5umJua95ZXH2RL/vyYnS3+1bHFNUXOIUkpSVALCgt0/pBs9gjY9zd
> DT69EjZe+yvFUmIaDYvG/byQ0NF1y1gYZu8aeCvNpTXO4wokrZgeEnXZOguE0xsN
> owZSL2Y24RJ0nOVEnoG7Ovd+6MoOQnUZ+KB5mUxWYugLR+nYTbGiFOKqa6UhLwLp
> jxI7fizXEGQgF4bus2t6wIZN//e2nL9mwo44UIvHU6TaT8bjtZnuuws/e6pzwVpI
> Ov+L1zthCloNgOFtXdFSlHMliga0kQLbyuyVx37uoCBJHY7298f5u/GmNK9AaRF0
> +rX7g8SzY3p/qjC0whCTphqmUbwvejgEU41xcZNw9qXD1ufE2MEjBqHlN5CaYrQ8
> WRgPKRMtlHSPnjJ/6gj0HF5GqEkO27SKQG6d41+12vOYDnSRhVM4xnh2yXlIXveA
> Uy/NFfy6Qk4MnhrT13zhrzvq1StY7j9cjuaNtIGVO0DiUE2Tl2SZEMXykV136uar
> Z2xI4ioOFFHFawHYzkYd5Ucxj6kSNBS60qCJb0mUz0lna8pOOpZ9bDe0VwLR9Z/i
> YvswtIKW7O13qCzSL5fi
> =ykc5
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list

More information about the Pulp-list mailing list