[Pulp-list] Pulp + FreeIPA = ?

Konstantin M. Khankin khankin.konstantin at gmail.com
Mon May 2 04:17:15 UTC 2016 

Finally I decided to fall back to pulp-generated CA cert and key. I invoked
pulp-gen-ca-certificate and got the following:

[root at nms ~]# ls -lZ /etc/pki/pulp/
-rw-r-----. root   apache unconfined_u:object_r:pulp_cert_t:s0 ca.crt
-rw-r-----. root   apache unconfined_u:object_r:pulp_cert_t:s0 ca.key

To achieve this, I had to hard-code CA_CRT variable in
pulp-gen-ca-certificate since the script was setting this variable to '#',
though I have the following in /etc/pulp/server.conf:
[security]
cacert: /etc/pki/pulp/ca.crt  # Deprecated! See above description for
details.
cakey: /etc/pki/pulp/ca.key  # Deprecated! See above description for
details.

CA_KEY variable was set up correctly

But even after I got new CA key and cert at correct paths, I still get the
following error:

RequestException: POST request
on /pulp/api/v2/actions/login/ failed with 500 - error signing cert request:
Signature ok
subject=/CN=admin:admin:5571b5b4cfbac030922d8c3d
Getting CA Private
Key
unable to load CA Private Key
139766116218784:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE
KEY
unable to write 'random state'

I even tried to remove comment lines after settings values in server.conf -
no better

Does anybody have any idea why this may be happening?

Thanks!

2016-04-15 23:27 GMT+03:00 Konstantin M. Khankin <
khankin.konstantin at gmail.com>:

> So just for test purposes I extracted CA key from FreeIPA and installed it
> to pulp server. This is what I have in /etc/pulp/server.conf:
> [security]
> cacert: /etc/pki/tls/certs/ca.crt  # Deprecated! See above description for
> details.
> cakey: /etc/pki/pulp/ca.key  # Deprecated! See above description for
> details.
>
> I looked into pulp sources and found how it generates client certificates:
>         cmd = 'openssl x509 -req -sha1 -CA %s -CAkey %s -set_serial %s
> -days %d' % \
>               (ca_cert, ca_key, serial, expiration)
>         p = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
>                              stdout=subprocess.PIPE,
> stderr=subprocess.STDOUT)
>         output = p.communicate(input=req.as_pem())[0]
>
> So I decided to test that command manually to see if it works with
> exported CA key and cert:
> [root at nms ~]# sudo -u apache openssl x509 -req -sha1 -CA
> /etc/pki/tls/certs/ca.crt -CAkey /etc/pki/pulp/ca.key -set_serial 36 -days
> 10 < csr
> Signature ok
> subject=/C=US/ST=Utah/L=Lindon/O=DigiCert Inc./OU=DigiCert/CN=
> example.digicert.com
> Getting CA Private Key
> -----BEGIN CERTIFICATE-----
> MIIDHTCCAgUCASQwDQYJKoZIhvcNAQEFBQAwMjEQMA4GA1UEChMHR1NLLkxPQzEe
> MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDQxNTIwMjIwMFoX
> DTE2MDQyNTIwMjIwMFowdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzAN
> BgNVBAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwI
> RGlnaUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkq
> hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKa
> mCmowp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOk
> Zc+c1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcfl
> gpiIWDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUC
> ZkTZwIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjp
> tYPRBPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABMA0G
> CSqGSIb3DQEBBQUAA4IBAQDA3jQfQKmdKU9C+ltGmQmIGq0AL50+xllWvkcR6IpK
> zSSUcLz9CBBJkSOMBQoCDgr8VVB6L4V1h+2YfCGOlkuee5hTpXs11CDrcAYAM6oT
> nhkIlFPuNw04q44cievpryGV+ZU5etIQXuLYNajNbb1v5s4z6buaviaxd0gcT8OU
> /ta00GAUv8TTj+6Q/gZ7CvUO0rDJE5z6PSJ+yCkjX8ZlVyX9UFy4q6K3f+AIVW7l
> svTf3TwNKcSbn2DpfyKKnTvcxDeDRVK+SmZcXxcwNmXV1UclrtjnxBqzkPcchFHT
> 7X0EK5+5YoPSP0JMm7oCaO1JANyk4DStioaDpc5EpwnC
> -----END CERTIFICATE-----
> unable to write 'random state'
>
> The last error happens (probably) because apache user's home directory is
> not writable, but it's clear that apache user can access CA cert and key
> and use them together. But this is what I get when I try to log into pulp
> server:
> [root at nms ~]# pulp-admin -v login -u admin
> Enter password:
> 2016-04-16 01:23:49,780 - ERROR - Exception occurred:
>         href:      /pulp/api/v2/actions/login/
>         method:    POST
>         status:    500
>         error:     error signing cert request: Signature ok
> subject=/CN=admin:admin:5571b5b4cfbac030922d8c3d
> Getting CA Private Key
> unable to load CA Private Key
> 140076687837088:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
> unable to write 'random state'
>
>         traceback: [u'  File
> "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 112,
> in get_response\n    response = wrapped_callback(request, *callback_args,
> **callback_kwargs)\n', u'  File
> "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 69,
> in view\n    return self.dispatch(request, *args, **kwargs)\n', u'  File
> "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 87,
> in dispatch\n    return handler(request, *args, **kwargs)\n', u'  File
> "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py",
> line 241, in _auth_decorator\n    return _verify_auth(self, operation,
> super_user_only, method, *args, **kwargs)\n', u'  File
> "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py",
> line 195, in _verify_auth\n    value = method(self, *args, **kwargs)\n', u'
>  File
> "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/root_actions.py",
> line 25, in post\n    key, certificate =
> factory.cert_generation_manager().make_admin_user_cert(user)\n', u'  File
> "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py",
> line 31, in make_admin_user_cert\n    return
> self.make_cert(self.encode_admin_user(user), expiration)\n', u'  File
> "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py",
> line 85, in make_cert\n    raise Exception("error signing cert request: %s"
> % output)\n']
>         data:      {}
>
> An internal error occurred on the Pulp server:
>
> RequestException: POST request
> on /pulp/api/v2/actions/login/ failed with 500 - error signing cert
> request:
> Signature ok
> subject=/CN=admin:admin:5571b5b4cfbac030922d8c3d
> Getting CA Private
> Key
> unable to load CA Private Key
> 140076687837088:error:0906D06C:PEM
> routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE
> KEY
> unable to write 'random state'
>
> I have PAM authentication enabled to give an access to IPA users and user
> 'admin' is configured as pulp admin. But for some reasons pulp is not able
> to generate a certificate. I've tried to restart all pulp processes and
> httpd multiple times already. Tried to disable SELinux (and enabled it back
> since it didn't change anything). Do you have any idea why this error could
> occur?
>
> Thanks!
>
> 2016-04-15 22:29 GMT+03:00 Konstantin M. Khankin <
> khankin.konstantin at gmail.com>:
>
>> Hi!
>>
>> I'm trying to use FreeIPA PKI for pulp. I successfully installed all
>> certificates/keys on consumers and set up httpd to use correct
>> certificates/keys, but faced a problem - pulp wants to have CA superpowers
>> to sign client certificates, even though config file and documentation both
>> says that this function is deprecated
>>
>> Can I somehow disable certificate signing attempts in pulp so that it is
>> able to use existing PKI?
>>
>> Thanks!
>>
>> --
>> Konstantin Khankin
>>
>
>
>
> --
> Konstantin Khankin
>



-- 
Ханкин Константин
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160502/50598a21/attachment.htm>

More information about the Pulp-list mailing list