Project

Profile

Help

Issue #2642

--auth-ca parameter on repo creation not working

Added by lenny 9 days ago. Updated 1 day ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Severity:
2. Medium
Version:
2.12.1
Platform Release:
Blocks Release:
OS:
CentOS 7
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No

Description

Hi,

the --auth-ca parameter creates the local certificate files under /etc/pki/pulp/content, but client requests still verified with the host ca.

You can find the setup on the mailing list: https://www.redhat.com/archives/pulp-list/2017-March/msg00004.html

Regards,

Rene

dump - pulp-admin -vv rpm repo update (14.5 KB) lenny, 03/21/2017 04:14 PM

History

#1 Updated by mhrivnak 5 days ago

  • Blocks Release deleted (2.12.z)

#2 Updated by bizhang 5 days ago

Hi Lenny,

Can you try setting the auth_cert option: http://docs.pulpproject.org/plugins/pulp_rpm/tech-reference/yum-plugins.html#optional-configuration-parameters

If that doesn't work can you send me the full rest API call you're using to to create (pass the -vv command via pulp-admin and it will show you the rest API call) and I can take a look.

#3 Updated by lenny 5 days ago

Hi,

thanks for your effort.

The file must contain both the certificate itself and its private key.

I´ve combined the client cert and key file with cat to one file.

pulp-admin -vv rpm repo update --repo-id centos-x86_64-7.3.1611-base --relative-url testing/centos/7.3.1611/os/x86_64/ --feed http://ftp.tu-chemnitz.de/pub/linux/centos/7.3.1611/os/x86_64/ --auth-cert=client.cert --auth-ca=Pulp_CA.cert

You can find the output in the attachments.

pulp-admin repo list --detail

Shows me the certs and protected true state. Die Repository is still unprotected.

enabled: true

Set repo_auth.conf and restart httpd. All repositories are now protected.

/etc/pki/pulp/content/

Cert etc. are created by pulp in content path.

curl -v --cert ./certs/Pulp_client.cert --key ./certs/Pulp_client.key https://my.server.name/pulp/repos/testing/centos/7.3.1611/os/x86_64/repodata/repomd.xml

curl: (56) Peer does not recognize and trust the CA that issued your certificate

The client certificate get verified by the host ca file (Comodo CA).

#4 Updated by bizhang 1 day ago

  • Triaged changed from No to Yes

#5 Updated by bizhang 1 day ago

I was able to get this working by setting the SSLVerifyClient to optional_no_ca in the pulp_content.conf [0]
Since the pulp_content was validating the client cert being passed with the PulpCA instead of the repo CA.

We should also make a new blog post or update the old one with the correct steps [1]

Steps I took to make protected repos work:


vi /etc/pulp/repo_auth.conf
# Set enabled to true

vi /etc/httpd/conf.d/pulp_content.conf
# set SSLVerifyClient to optional_no_ca
# this is necessary because otherwise the client cert is rejected since it wasn't signed with the pulp CA

# restart apache

pulp-admin rpm repo create --repo-id=bar --relative-url=bar \
--feed=http://repos.fedorapeople.org/repos/pulp/pulp/demo_repos/zoo/ --auth-ca=/home/vagrant/certs/caPulp.crt

pulp-admin rpm repo publish run --repo-id=bar

[vagrant@dev ~]$ curl --user admin:admin https://dev.example.com/pulp/repos/bar/repodata/repomd.xml -i
HTTP/1.1 403 Forbidden
Date: Thu, 23 Mar 2017 19:43:57 GMT
Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2k-fips mod_wsgi/4.4.23 Python/2.7.13
Content-Length: 0
Content-Type: text/html; charset=utf-8

[vagrant@dev ~]$ curl https://dev.example.com/pulp/repos/bar/repodata/repomd.xml --cert /home/vagrant/certs/client.crt --key /home/vagrant/certs/client.key
<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm"><revision>1490218171</revision>
<data type="filelists"><location href="repodata/3c5a3d87d0e93a6a3f0aceb78095c84df594a4b68d1fda1dae3117ad5b6eac3d-filelists.xml.gz" /><timestamp>1490218171</timestamp><size>145</size><checksum type="sha256">3c5a3d87d0e93a6a3f0aceb78095c84df594a4b68d1fda1dae3117ad5b6eac3d</checksum><open-size>124</open-size><open-checksum type="sha256">e2b3c5cc76abd55189dbe9be272ecb9b3cdbce84d32c2a03aa080d0ed6f8e511</open-checksum></data>
<data type="other"><location href="repodata/8a52c39f87df76e9b57185dacdec14654a001f4e0f23a6d2cbdf642c7a157e34-other.xml.gz" /><timestamp>1490218171</timestamp><size>140</size><checksum type="sha256">8a52c39f87df76e9b57185dacdec14654a001f4e0f23a6d2cbdf642c7a157e34</checksum><open-size>120</open-size><open-checksum type="sha256">b1715ac8e6eaca8d4194d6b3add82d483d6ef3e7e6a214d46e0ed22f30a006d4</open-checksum></data>
<data type="primary"><location href="repodata/8dc7807b1f58effa31df6df5da80ea87731ecf600c2becf47166115d91f93787-primary.xml.gz" /><timestamp>1490218171</timestamp><size>151</size><checksum type="sha256">8dc7807b1f58effa31df6df5da80ea87731ecf600c2becf47166115d91f93787</checksum><open-size>166</open-size><open-checksum type="sha256">9e9d5d6658e9c9221c3ee6116268f7445207f5c40b02d36f2a0991ac64889ee9</open-checksum></data>
<data type="updateinfo"><location href="repodata/36f5de7bdf0db8ae637f641dc862535811a9c616d2470ba69baf0ede722283e5-updateinfo.xml.gz" /><timestamp>1490218171</timestamp><size>92</size><checksum type="sha256">36f5de7bdf0db8ae637f641dc862535811a9c616d2470ba69baf0ede722283e5</checksum><open-size>51</open-size><open-checksum type="sha256">f5922ee6f9f76089a8135e281dbd0e88ae4765166a8b9c66659de709cc556f08</open-checksum></data>
<data type="group"><location href="repodata/a27718cc28ec6d71432e0ef3e6da544b7f9d93f6bb7d0a55aacd592d03144b70-comps.xml" /><timestamp>1490218171</timestamp><size>124</size><checksum type="sha256">a27718cc28ec6d71432e0ef3e6da544b7f9d93f6bb7d0a55aacd592d03144b70</checksum></data>
</repomd>
[vagrant@dev ~]$ 

[0] https://github.com/pulp/pulp/blob/master/server/etc/httpd/conf.d/pulp_content.conf#L16
[1] http://pulpproject.org/2011/05/18/pulp-protected-repositories/

#6 Updated by bmbouter 1 day ago

+1 to updating the old blog post. It would be a PR against this file: https://github.com/pulp/pulpproject.org/blob/gh-pages/_posts/2011-05-18-pulp-protected-repositories.md

#7 Updated by pthomas@redhat.com 1 day ago

  • Smash Test set to 605

#8 Updated by bizhang 1 day ago

I just tested this with a client cert signed by a different CA, and it looks like this feature is broken. I would expect the request to fail because client.crt has been signed with a different CA.crt, but instead it succeeds

[vagrant@dev ~]$ curl https://dev.example.com/pulp/repos/bar/repodata/repomd.xml --cert /home/vagrant/certs2/client.crt --key /home/vagrant/certs2/client.key
<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm"><revision>1490218171</revision>
<data type="filelists"><location href="repodata/3c5a3d87d0e93a6a3f0aceb78095c84df594a4b68d1fda1dae3117ad5b6eac3d-filelists.xml.gz" /><timestamp>1490218171</timestamp><size>145</size><checksum type="sha256">3c5a3d87d0e93a6a3f0aceb78095c84df594a4b68d1fda1dae3117ad5b6eac3d</checksum><open-size>124</open-size><open-checksum type="sha256">e2b3c5cc76abd55189dbe9be272ecb9b3cdbce84d32c2a03aa080d0ed6f8e511</open-checksum></data>
<data type="other"><location href="repodata/8a52c39f87df76e9b57185dacdec14654a001f4e0f23a6d2cbdf642c7a157e34-other.xml.gz" /><timestamp>1490218171</timestamp><size>140</size><checksum type="sha256">8a52c39f87df76e9b57185dacdec14654a001f4e0f23a6d2cbdf642c7a157e34</checksum><open-size>120</open-size><open-checksum type="sha256">b1715ac8e6eaca8d4194d6b3add82d483d6ef3e7e6a214d46e0ed22f30a006d4</open-checksum></data>
<data type="primary"><location href="repodata/8dc7807b1f58effa31df6df5da80ea87731ecf600c2becf47166115d91f93787-primary.xml.gz" /><timestamp>1490218171</timestamp><size>151</size><checksum type="sha256">8dc7807b1f58effa31df6df5da80ea87731ecf600c2becf47166115d91f93787</checksum><open-size>166</open-size><open-checksum type="sha256">9e9d5d6658e9c9221c3ee6116268f7445207f5c40b02d36f2a0991ac64889ee9</open-checksum></data>
<data type="updateinfo"><location href="repodata/36f5de7bdf0db8ae637f641dc862535811a9c616d2470ba69baf0ede722283e5-updateinfo.xml.gz" /><timestamp>1490218171</timestamp><size>92</size><checksum type="sha256">36f5de7bdf0db8ae637f641dc862535811a9c616d2470ba69baf0ede722283e5</checksum><open-size>51</open-size><open-checksum type="sha256">f5922ee6f9f76089a8135e281dbd0e88ae4765166a8b9c66659de709cc556f08</open-checksum></data>
<data type="group"><location href="repodata/a27718cc28ec6d71432e0ef3e6da544b7f9d93f6bb7d0a55aacd592d03144b70-comps.xml" /><timestamp>1490218171</timestamp><size>124</size><checksum type="sha256">a27718cc28ec6d71432e0ef3e6da544b7f9d93f6bb7d0a55aacd592d03144b70</checksum></data>
</repomd>

Please register to edit this issue

Also available in: Atom PDF