Project

Profile

Help

Issue #1280

closed

vague error message if intermediate CA is used without full chain on content refresh

Added by cduryee over 8 years ago. Updated almost 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Python-requests uses a stricter CA check than curl, and requires a full CA chain instead of just the last CA in the chain. This can cause a great deal of confusion when setting up a content source.

For example, if I have a root CA certificate and then a server CA that was created off of that, I can use the server CA to download content just fine with curl. However, using that same cert with a content source will give the following error:

# pulp-admin content sources refresh
+----------------------------------------------------------------------+
                        Refresh Content Sources
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Refreshing content sources
[-]
RHUI v2 content from beav-rhui2-rhua
... failed
Content source content-rhui-v2 could not be found at
https://beav-rhui2-rhua/pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2/os/

Task Failed

Task 1d5c5af3-d56b-4f5d-a32f-9eb9f0a40e69 encountered one or more failures during execution.

In order to figure out that it's a CA issue, you need to check the connection with openssl s_client, which will return "Verify return code: 2 (unable to get issuer certificate)" instead of "Verify return code: 21 (unable to verify the first certificate)". The Pulp log just says that it was unable to download the file without additional detail.

I understand that this is is a python-requests issue[1] but it caused me to burn a full day to find what was happening. It is especially tricky since curl will work.

It would be a better experience if Pulp obtained a more detailed error message from either python-requests (if available) or ssl, and bubbled that up to the user. That would at least give some hint as to what was happening.

[1] https://ixa.io/2015/04/22/using-an-ssl-intermediate-as-your-ca-cert-with-python-requests/

Also available in: Atom PDF