Issue #1258
closedif you attempt to use a concatenated cert and key, nectar will make the request sans cert+key
Description
I hit this issue when using a concatenated cert and key to pull content from an upstream repo. If you have a pem file that contains the SSL client certificate and the client key, and give that file as the --feed-cert parameter when creating a repo, everything will look OK but Pulp and Nectar will not actually use the cert during the request. This will make the request 401 or 403.
How to repro:
-
obtain a client certificate and client key for an upstream repo
-
concatenate the two files into cert_and_key.pem
-
run curl, note that it works:
curl --cacert /your/ca/cert.ca --cert ./cert_and_key.pem https://upstream.repo/path/to/repo/repodata/repomd.xml
-
create a repo in pulp:
pulp-admin rpm repo create --repo-id test --feed https://upstream.repo/path/to/repo/ --feed-cert ./cert_and_key.pem --feed-ca /your/ca/cert.ca
-
sync repo
Expected result:
successful sync
Actual result:
Sync fails
Note: I have not dug into it in detail, but this area of nectar appears to not populate the cert on the request unless both the cert and key exist: https://github.com/pulp/nectar/blob/master/nectar/downloaders/threaded.py#L408-L409