Nectar

I hit this issue when using a concatenated cert and key to pull content from an upstream repo. If you have a pem file that contains the SSL client certificate and the client key, and give that file as the --feed-cert parameter when creating a repo, everything will look OK but Pulp and Nectar will not actually use the cert during the request. This will make the request 401 or 403.

How to repro:

• obtain a client certificate and client key for an upstream repo

• concatenate the two files into cert_and_key.pem

• run curl, note that it works:

  curl --cacert /your/ca/cert.ca --cert ./cert_and_key.pem https://upstream.repo/path/to/repo/repodata/repomd.xml
  

• create a repo in pulp:

  pulp-admin rpm repo create --repo-id test --feed https://upstream.repo/path/to/repo/ --feed-cert ./cert_and_key.pem --feed-ca /your/ca/cert.ca
  

• sync repo

Expected result:

successful sync

Actual result:

Sync fails

Note: I have not dug into it in detail, but this area of nectar appears to not populate the cert on the request unless both the cert and key exist: https://github.com/pulp/nectar/blob/master/nectar/downloaders/threaded.py#L408-L409