Issue #1258
closedif you attempt to use a concatenated cert and key, nectar will make the request sans cert+key
Description
I hit this issue when using a concatenated cert and key to pull content from an upstream repo. If you have a pem file that contains the SSL client certificate and the client key, and give that file as the --feed-cert parameter when creating a repo, everything will look OK but Pulp and Nectar will not actually use the cert during the request. This will make the request 401 or 403.
How to repro:
-
obtain a client certificate and client key for an upstream repo
-
concatenate the two files into cert_and_key.pem
-
run curl, note that it works:
curl --cacert /your/ca/cert.ca --cert ./cert_and_key.pem https://upstream.repo/path/to/repo/repodata/repomd.xml
-
create a repo in pulp:
pulp-admin rpm repo create --repo-id test --feed https://upstream.repo/path/to/repo/ --feed-cert ./cert_and_key.pem --feed-ca /your/ca/cert.ca
-
sync repo
Expected result:
successful sync
Actual result:
Sync fails
Note: I have not dug into it in detail, but this area of nectar appears to not populate the cert on the request unless both the cert and key exist: https://github.com/pulp/nectar/blob/master/nectar/downloaders/threaded.py#L408-L409
Updated by mhrivnak over 8 years ago
- Severity changed from 2. Medium to 1. Low
- Triaged changed from No to Yes
Updated by bmbouter about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Updated by bmbouter about 5 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.