[Pulp-list] Can't access API on fresh new pulp instance via https
Tim Black
timblaktu at gmail.com
Thu Nov 5 00:12:41 UTC 2020
I found this httpie issue <https://github.com/httpie/httpie/issues/480>,
basically, the certs I imported into debian aren't respected by httpie. So
I think I need to use --verify or --cert option of httpie.
But when I use --verify no, I get a 301:
[tblack-stretch]/home/tblack/pulpcerts/certs > http --verify no
https://pulp.biamp.com/pulp/api/v3/status
HTTP/1.1 301 Moved Permanently
Connection: keep-alive
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Thu, 05 Nov 2020 00:07:19 GMT
Location: /pulp/api/v3/status/
Server: nginx/1.14.2
and if I use --cert to point to the pulp-generated CA cert I copied over
from pulp, I get a different httpie error, I believe indicating I'm using
the wrong format cert:
http: error: Error: [('PEM routines', 'get_name', 'no start line'), ('SSL
routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]
Thanks for your help.
On Wed, Nov 4, 2020 at 3:54 PM Tim Black <timblaktu at gmail.com> wrote:
> I have installed a new pulp instance using pulp.pulp_installer 3.8.1 and
> the below ansible play, which mostly uses defaults. The containing playbook
> runs to completion with no errors, but I get the following error trying to
> access the api status endpoint with httpie:
>
> [tblack-stretch]cmm/ansible/projects/pulp > http
> https://pulp.biamp.com/pulp/api/v3/status
> <https://pulp.mydomain.com/pulp/api/v3/status>
>
> http: error: SSLError: HTTPSConnectionPool(host='pulp.biamp.com
> <http://pulp.mydomain.com>', port=443): Max retries exceeded with url:
> /pulp/api/v3/status (Caused by SSLError(SSLError("bad handshake:
> Error([('SSL routines', 'tls_process_server_certificate', 'certificate
> verify failed')],)",),)) while doing GET request to URL:
> https://pulp.biamp.com/pulp/api/v3/status
> <https://pulp.mydomain.com/pulp/api/v3/status>
>
> It says it failed to verify the certificate. I've read the docs about ssl
> configuration
> <https://docs.pulpproject.org/pulpcore/installation/instructions.html#ssl>,
> and I have copied both the pulp-generated self-signed root CA and
> webserver certs from `/etc/pulp/certs/` to the client (tblack-stretch) I'm
> running httpie from. There, I imported the certs by placing them in
> /usr/local/share/ca-certificates/extra and running update-ca-certificates,
> but still got the same error.
>
> Here is my play that invokes pulp.pulp_installer.pulp_all_services. Any
> help would be appreciated. Thanks.
>
> - name: Install Pulp
> hosts: pulp_cluster
> vars:
> # Pulp Installer Variables Documentation:
> https://pulp-installer.readthedocs.io/en/3.8.1/#variables
> pulp_install_plugins:
> # IMPORTANT! Compatibility Between Pulpcore and Pulp Plugins Must be
> Manually Confirmed/Specified!
> #
> https://pulp-installer.readthedocs.io/en/3.8.1/#note-on-plugin-version-compatibility-with-pulpcore
> # There is a tool that helps you find the compatible plugin versions.
> # https://github.com/fao89/pdc
> pulp-ansible:
> version: 0.5.0
> pulp-container:
> version: 2.1.0
> pulp-deb:
> version: 2.7.0
> pulp-file:
> version: 1.3.0
> pulp-python:
> version: 3.0.0b11
> pulp_default_admin_password: "{{ pulp_admin_password }}"
> pulp_settings:
> secret_key: "{{ pulp_django_secret_key }}"
> content_origin: "https://{{ ansible_fqdn }}"
> pre_tasks:
> # The version string below is the highest of all those in roles'
> metadata:
> # "min_ansible_version". It needs to be kept manually up-to-date.
> - name: Verify Ansible meets min required version
> assert:
> that: "ansible_version.full is version_compare('2.8', '>=')"
> msg: >
> "You must update Ansible to at least 2.8 to use this version of
> Pulp 3 Installer."
> roles:
> - pulp.pulp_installer.pulp_all_services
> environment:
> DJANGO_SETTINGS_MODULE: pulpcore.app.settings
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20201104/3495b90b/attachment.htm>
More information about the Pulp-list
mailing list