Project

Profile

Help

Issue #1280

closed

vague error message if intermediate CA is used without full chain on content refresh

Added by cduryee almost 7 years ago. Updated over 3 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Python-requests uses a stricter CA check than curl, and requires a full CA chain instead of just the last CA in the chain. This can cause a great deal of confusion when setting up a content source.

For example, if I have a root CA certificate and then a server CA that was created off of that, I can use the server CA to download content just fine with curl. However, using that same cert with a content source will give the following error:

# pulp-admin content sources refresh
+----------------------------------------------------------------------+
                        Refresh Content Sources
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Refreshing content sources
[-]
RHUI v2 content from beav-rhui2-rhua
... failed
Content source content-rhui-v2 could not be found at
https://beav-rhui2-rhua/pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2/os/

Task Failed

Task 1d5c5af3-d56b-4f5d-a32f-9eb9f0a40e69 encountered one or more failures during execution.

In order to figure out that it's a CA issue, you need to check the connection with openssl s_client, which will return "Verify return code: 2 (unable to get issuer certificate)" instead of "Verify return code: 21 (unable to verify the first certificate)". The Pulp log just says that it was unable to download the file without additional detail.

I understand that this is is a python-requests issue[1] but it caused me to burn a full day to find what was happening. It is especially tricky since curl will work.

It would be a better experience if Pulp obtained a more detailed error message from either python-requests (if available) or ssl, and bubbled that up to the user. That would at least give some hint as to what was happening.

[1] https://ixa.io/2015/04/22/using-an-ssl-intermediate-as-your-ca-cert-with-python-requests/

Actions #1

Updated by mhrivnak almost 7 years ago

  • Triaged changed from No to Yes
Actions #2

Updated by bmbouter over 3 years ago

  • Status changed from NEW to CLOSED - WONTFIX
Actions #3

Updated by bmbouter over 3 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #4

Updated by bmbouter over 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF