[Pulp-list] Pulp + FreeIPA = ?
Konstantin M. Khankin
khankin.konstantin at gmail.com
Fri Apr 15 20:27:10 UTC 2016
So just for test purposes I extracted CA key from FreeIPA and installed it
to pulp server. This is what I have in /etc/pulp/server.conf:
[security]
cacert: /etc/pki/tls/certs/ca.crt # Deprecated! See above description for
details.
cakey: /etc/pki/pulp/ca.key # Deprecated! See above description for
details.
I looked into pulp sources and found how it generates client certificates:
cmd = 'openssl x509 -req -sha1 -CA %s -CAkey %s -set_serial %s
-days %d' % \
(ca_cert, ca_key, serial, expiration)
p = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
output = p.communicate(input=req.as_pem())[0]
So I decided to test that command manually to see if it works with exported
CA key and cert:
[root at nms ~]# sudo -u apache openssl x509 -req -sha1 -CA
/etc/pki/tls/certs/ca.crt -CAkey /etc/pki/pulp/ca.key -set_serial 36 -days
10 < csr
Signature ok
subject=/C=US/ST=Utah/L=Lindon/O=DigiCert Inc./OU=DigiCert/CN=
example.digicert.com
Getting CA Private Key
-----BEGIN CERTIFICATE-----
MIIDHTCCAgUCASQwDQYJKoZIhvcNAQEFBQAwMjEQMA4GA1UEChMHR1NLLkxPQzEe
MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDQxNTIwMjIwMFoX
DTE2MDQyNTIwMjIwMFowdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzAN
BgNVBAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwI
RGlnaUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKa
mCmowp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOk
Zc+c1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcfl
gpiIWDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUC
ZkTZwIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjp
tYPRBPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABMA0G
CSqGSIb3DQEBBQUAA4IBAQDA3jQfQKmdKU9C+ltGmQmIGq0AL50+xllWvkcR6IpK
zSSUcLz9CBBJkSOMBQoCDgr8VVB6L4V1h+2YfCGOlkuee5hTpXs11CDrcAYAM6oT
nhkIlFPuNw04q44cievpryGV+ZU5etIQXuLYNajNbb1v5s4z6buaviaxd0gcT8OU
/ta00GAUv8TTj+6Q/gZ7CvUO0rDJE5z6PSJ+yCkjX8ZlVyX9UFy4q6K3f+AIVW7l
svTf3TwNKcSbn2DpfyKKnTvcxDeDRVK+SmZcXxcwNmXV1UclrtjnxBqzkPcchFHT
7X0EK5+5YoPSP0JMm7oCaO1JANyk4DStioaDpc5EpwnC
-----END CERTIFICATE-----
unable to write 'random state'
The last error happens (probably) because apache user's home directory is
not writable, but it's clear that apache user can access CA cert and key
and use them together. But this is what I get when I try to log into pulp
server:
[root at nms ~]# pulp-admin -v login -u admin
Enter password:
2016-04-16 01:23:49,780 - ERROR - Exception occurred:
href: /pulp/api/v2/actions/login/
method: POST
status: 500
error: error signing cert request: Signature ok
subject=/CN=admin:admin:5571b5b4cfbac030922d8c3d
Getting CA Private Key
unable to load CA Private Key
140076687837088:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
unable to write 'random state'
traceback: [u' File
"/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 112,
in get_response\n response = wrapped_callback(request, *callback_args,
**callback_kwargs)\n', u' File
"/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 69,
in view\n return self.dispatch(request, *args, **kwargs)\n', u' File
"/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 87,
in dispatch\n return handler(request, *args, **kwargs)\n', u' File
"/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py",
line 241, in _auth_decorator\n return _verify_auth(self, operation,
super_user_only, method, *args, **kwargs)\n', u' File
"/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py",
line 195, in _verify_auth\n value = method(self, *args, **kwargs)\n', u'
File
"/usr/lib/python2.7/site-packages/pulp/server/webservices/views/root_actions.py",
line 25, in post\n key, certificate =
factory.cert_generation_manager().make_admin_user_cert(user)\n', u' File
"/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py",
line 31, in make_admin_user_cert\n return
self.make_cert(self.encode_admin_user(user), expiration)\n', u' File
"/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py",
line 85, in make_cert\n raise Exception("error signing cert request: %s"
% output)\n']
data: {}
An internal error occurred on the Pulp server:
RequestException: POST request
on /pulp/api/v2/actions/login/ failed with 500 - error signing cert request:
Signature ok
subject=/CN=admin:admin:5571b5b4cfbac030922d8c3d
Getting CA Private
Key
unable to load CA Private Key
140076687837088:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE
KEY
unable to write 'random state'
I have PAM authentication enabled to give an access to IPA users and user
'admin' is configured as pulp admin. But for some reasons pulp is not able
to generate a certificate. I've tried to restart all pulp processes and
httpd multiple times already. Tried to disable SELinux (and enabled it back
since it didn't change anything). Do you have any idea why this error could
occur?
Thanks!
2016-04-15 22:29 GMT+03:00 Konstantin M. Khankin <
khankin.konstantin at gmail.com>:
> Hi!
>
> I'm trying to use FreeIPA PKI for pulp. I successfully installed all
> certificates/keys on consumers and set up httpd to use correct
> certificates/keys, but faced a problem - pulp wants to have CA superpowers
> to sign client certificates, even though config file and documentation both
> says that this function is deprecated
>
> Can I somehow disable certificate signing attempts in pulp so that it is
> able to use existing PKI?
>
> Thanks!
>
> --
> Konstantin Khankin
>
--
Konstantin Khankin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160415/2a900d68/attachment.htm>
More information about the Pulp-list
mailing list