if you attempt to use a concatenated cert and key, nectar will make the request sans cert+key
I hit this issue when using a concatenated cert and key to pull content from an upstream repo. If you have a pem file that contains the SSL client certificate and the client key, and give that file as the --feed-cert parameter when creating a repo, everything will look OK but Pulp and Nectar will not actually use the cert during the request. This will make the request 401 or 403.
How to repro:
obtain a client certificate and client key for an upstream repo
concatenate the two files into cert_and_key.pem
run curl, note that it works:
curl --cacert /your/ca/cert.ca --cert ./cert_and_key.pem https://upstream.repo/path/to/repo/repodata/repomd.xml
create a repo in pulp:
pulp-admin rpm repo create --repo-id test --feed https://upstream.repo/path/to/repo/ --feed-cert ./cert_and_key.pem --feed-ca /your/ca/cert.ca
Note: I have not dug into it in detail, but this area of nectar appears to not populate the cert on the request unless both the cert and key exist: https://github.com/pulp/nectar/blob/master/nectar/downloaders/threaded.py#L408-L409
Updated by bmbouter over 3 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.