[Pulp-list] yum and ssl certificates

[Randy Barlow]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/13/2015 12:00 PM, Cristian Falcas wrote:
>> Pulp will set by default all repos to be protected. I'm trying to
>> see what needs to be done in order to use a default pulp
>> installation.
> 
>> It will define the http configuration for repos with: 
>> WSGIAccessScript /srv/pulp/repo_auth.wsgi SSLVerifyClient
>> require

It's true that the WSGIAccessScript handles all SSL requests, but it
by default is permissive. To enable it, you would need to edit
/etc/pulp/repo_auth.conf and set [main] --> enabled to true. Is that
set to true on your system? If so, this might be your issue. Unless,
of course, you are trying to use repository protection.

If you are trying to use repository protection, I'm afraid you will
need something like Candlepin to create the client certificates for
you. Pulp itself does not generate the consumer certificates.

> A wild guess on my part, but perhaps your consumer is simply
> missing the certificate authority that signed the httpd server's
> certificate, and is complaining about the insecure SSL connection?
> If that is so, I think I can help ☺
> 
>> You lost me here :). I don't understand what you are saying. I
>> have ca_path set.to the default value
>> (/etc/pki/tls/certs/ca-bundle.crt)

By default, we have verify_ssl set to true (it seems that you have set
that to false, based on the pulp.repo config you provided). Since you
have this set to false, it's not the issue you were running into.
However, I'll try to explain what I meant a little more clearly:

The consumer is connecting to Pulp via SSL. When this happens, httpd
presents the consumer with its SSL certificate, and the consumer is
given a chance to challenge that certificate with a nonce, to prove
that the server has the corresponding private key. During this
exchange, the consumer will also check that the server's certificate
is signed by a certificate authority that it trusts. Since httpd uses
a self-signed certificate by default, this signature validation step
will fail out of the box. Some users will set verify_ssl to false,
which basically disables this check, but also removes a significant
piece of the protection of SSL since you are no longer verifying the
identity of the Pulp server (i.e., you could be getting a MITM).

Another solution is to sign the httpd certificate with a CA that the
consumer trusts. You can do this by using your very own CA if you
install that CA public cert on the consumer, or you can buy a signed
certificate from any of the already trusted PKI vendors.

In my case, I've gone the route of having my own certificate
authority, so I can keep verify_ssl set to True, but I also don't have
to buy a certificate. It takes a little time to learn how to do it,
but once you know the ropes it's not that difficult. Besides saving
money, another benefit is that I don't have to wait on a third party
to have a signed certificate. In cases where you need the general
public to be able to establish trust, a custom CA isn't a great
solution since they won't have it installed, but I find it works well
for protecting myself when I'm the only user of a service.

- -- 
Randy Barlow
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVAxAAAAoJEIyFaKUJtmpickMP/RguJvDQrik+KNWQiyBFoA1B
/8/cw0kIMVBrxeJrMyAQ1F78ULOdHUJ0Tva8EWMIP60pMR3PfKiT0jJIPjPp30Ag
QblTDqkfNqb65yxYQ4rpFAezE8VH+8GWl2UFAZ6pJbwxWr/7rbTF/08dgw/qzv+f
6zTi0BNdAjrfG3Jm/mWtefbizCIwVr15ZbFoP28UsD4AsORIXj3/TMPT0xjvrelo
nOHNZ6CShz0r7MtIFaRzexp/MXGLnwH9c8F15d/M0jfQbzb/V/uoqIvsAnFX2+VF
On81e4BaOiggpCoKxMWZJkhgZWHhjC9reBYhZ6L88yFJhCCf9mwCC0WdTwBMCReU
9vLYd9OXAfD+PnvztYGhUC1astWSaR++lHU9ttRYG4nGsfFGhVM+iCydw2iimw7l
yojej3t97XU2L5TqUEZCZTR+UcfoJWRMyu2aryKcuoU7G2f/i2+gkylROaaZvSR9
xQi08zvxaQxDpscqlqHgvyXwbsqR4xy/W++3Rlzis2XZMskafrKZtVk1INQivo+i
cVIaNuu8+e3aFs74A5CsCxdAElN8wZPZOuu6i+WN+8jZYc9WkrsAQnuTw3i3cJRD
RGrldtTOQCU3g0al+gCNedMO7VYdNWMyqEbh+YdKwjBQwH6CmbE3z7KoIYW3qnoT
e5Q9aJ8YQeGAiY7EWXyh
=/mv4
-----END PGP SIGNATURE-----