Project

Profile

Help

Issue #2642

closed

--auth-ca parameter on repo creation not working

Added by lenny about 7 years ago. Updated almost 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.12.1
Platform Release:
OS:
CentOS 7
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Hi,

the --auth-ca parameter creates the local certificate files under /etc/pki/pulp/content, but client requests still verified with the host ca.

You can find the setup on the mailing list: https://www.redhat.com/archives/pulp-list/2017-March/msg00004.html

Regards,

Rene


Files

dump (14.5 KB) dump pulp-admin -vv rpm repo update lenny, 03/21/2017 04:14 PM
Actions #2

Updated by bizhang almost 7 years ago

Hi Lenny,

Can you try setting the auth_cert option: http://docs.pulpproject.org/plugins/pulp_rpm/tech-reference/yum-plugins.html#optional-configuration-parameters

If that doesn't work can you send me the full rest API call you're using to to create (pass the -vv command via pulp-admin and it will show you the rest API call) and I can take a look.

Actions #3

Updated by lenny almost 7 years ago

Hi,

thanks for your effort.

The file must contain both the certificate itself and its private key.

I´ve combined the client cert and key file with cat to one file.

pulp-admin -vv rpm repo update --repo-id centos-x86_64-7.3.1611-base --relative-url testing/centos/7.3.1611/os/x86_64/ --feed http://ftp.tu-chemnitz.de/pub/linux/centos/7.3.1611/os/x86_64/ --auth-cert=client.cert --auth-ca=Pulp_CA.cert

You can find the output in the attachments.

pulp-admin repo list --detail

Shows me the certs and protected true state. Die Repository is still unprotected.

enabled: true

Set repo_auth.conf and restart httpd. All repositories are now protected.

/etc/pki/pulp/content/

Cert etc. are created by pulp in content path.

curl -v --cert ./certs/Pulp_client.cert --key ./certs/Pulp_client.key https://my.server.name/pulp/repos/testing/centos/7.3.1611/os/x86_64/repodata/repomd.xml

curl: (56) Peer does not recognize and trust the CA that issued your certificate

The client certificate get verified by the host ca file (Comodo CA).

Actions #4

Updated by bizhang almost 7 years ago

  • Triaged changed from No to Yes
Actions #5

Updated by bizhang almost 7 years ago

I was able to get this working by setting the SSLVerifyClient to optional_no_ca in the pulp_content.conf [0]
Since the pulp_content was validating the client cert being passed with the PulpCA instead of the repo CA.

We should also make a new blog post or update the old one with the correct steps [1]

Steps I took to make protected repos work:


vi /etc/pulp/repo_auth.conf
# Set enabled to true

vi /etc/httpd/conf.d/pulp_content.conf
# set SSLVerifyClient to optional_no_ca
# this is necessary because otherwise the client cert is rejected since it wasn't signed with the pulp CA

# restart apache

pulp-admin rpm repo create --repo-id=bar --relative-url=bar \
--feed=http://repos.fedorapeople.org/repos/pulp/pulp/demo_repos/zoo/ --auth-ca=/home/vagrant/certs/caPulp.crt

pulp-admin rpm repo publish run --repo-id=bar

[vagrant@dev ~]$ curl --user admin:admin https://dev.example.com/pulp/repos/bar/repodata/repomd.xml -i
HTTP/1.1 403 Forbidden
Date: Thu, 23 Mar 2017 19:43:57 GMT
Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2k-fips mod_wsgi/4.4.23 Python/2.7.13
Content-Length: 0
Content-Type: text/html; charset=utf-8

[vagrant@dev ~]$ curl https://dev.example.com/pulp/repos/bar/repodata/repomd.xml --cert /home/vagrant/certs/client.crt --key /home/vagrant/certs/client.key
<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm"><revision>1490218171</revision>
<data type="filelists"><location href="repodata/3c5a3d87d0e93a6a3f0aceb78095c84df594a4b68d1fda1dae3117ad5b6eac3d-filelists.xml.gz" /><timestamp>1490218171</timestamp><size>145</size><checksum type="sha256">3c5a3d87d0e93a6a3f0aceb78095c84df594a4b68d1fda1dae3117ad5b6eac3d</checksum><open-size>124</open-size><open-checksum type="sha256">e2b3c5cc76abd55189dbe9be272ecb9b3cdbce84d32c2a03aa080d0ed6f8e511</open-checksum></data>
<data type="other"><location href="repodata/8a52c39f87df76e9b57185dacdec14654a001f4e0f23a6d2cbdf642c7a157e34-other.xml.gz" /><timestamp>1490218171</timestamp><size>140</size><checksum type="sha256">8a52c39f87df76e9b57185dacdec14654a001f4e0f23a6d2cbdf642c7a157e34</checksum><open-size>120</open-size><open-checksum type="sha256">b1715ac8e6eaca8d4194d6b3add82d483d6ef3e7e6a214d46e0ed22f30a006d4</open-checksum></data>
<data type="primary"><location href="repodata/8dc7807b1f58effa31df6df5da80ea87731ecf600c2becf47166115d91f93787-primary.xml.gz" /><timestamp>1490218171</timestamp><size>151</size><checksum type="sha256">8dc7807b1f58effa31df6df5da80ea87731ecf600c2becf47166115d91f93787</checksum><open-size>166</open-size><open-checksum type="sha256">9e9d5d6658e9c9221c3ee6116268f7445207f5c40b02d36f2a0991ac64889ee9</open-checksum></data>
<data type="updateinfo"><location href="repodata/36f5de7bdf0db8ae637f641dc862535811a9c616d2470ba69baf0ede722283e5-updateinfo.xml.gz" /><timestamp>1490218171</timestamp><size>92</size><checksum type="sha256">36f5de7bdf0db8ae637f641dc862535811a9c616d2470ba69baf0ede722283e5</checksum><open-size>51</open-size><open-checksum type="sha256">f5922ee6f9f76089a8135e281dbd0e88ae4765166a8b9c66659de709cc556f08</open-checksum></data>
<data type="group"><location href="repodata/a27718cc28ec6d71432e0ef3e6da544b7f9d93f6bb7d0a55aacd592d03144b70-comps.xml" /><timestamp>1490218171</timestamp><size>124</size><checksum type="sha256">a27718cc28ec6d71432e0ef3e6da544b7f9d93f6bb7d0a55aacd592d03144b70</checksum></data>
</repomd>
[vagrant@dev ~]$ 

[0] https://github.com/pulp/pulp/blob/master/server/etc/httpd/conf.d/pulp_content.conf#L16
[1] http://pulpproject.org/2011/05/18/pulp-protected-repositories/

Actions #6

Updated by bmbouter almost 7 years ago

+1 to updating the old blog post. It would be a PR against this file: https://github.com/pulp/pulpproject.org/blob/gh-pages/_posts/2011-05-18-pulp-protected-repositories.md

Actions #8

Updated by bizhang almost 7 years ago

I just tested this with a client cert signed by a different CA, and it looks like this feature is broken. I would expect the request to fail because client.crt has been signed with a different CA.crt, but instead it succeeds

[vagrant@dev ~]$ curl https://dev.example.com/pulp/repos/bar/repodata/repomd.xml --cert /home/vagrant/certs2/client.crt --key /home/vagrant/certs2/client.key
<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm"><revision>1490218171</revision>
<data type="filelists"><location href="repodata/3c5a3d87d0e93a6a3f0aceb78095c84df594a4b68d1fda1dae3117ad5b6eac3d-filelists.xml.gz" /><timestamp>1490218171</timestamp><size>145</size><checksum type="sha256">3c5a3d87d0e93a6a3f0aceb78095c84df594a4b68d1fda1dae3117ad5b6eac3d</checksum><open-size>124</open-size><open-checksum type="sha256">e2b3c5cc76abd55189dbe9be272ecb9b3cdbce84d32c2a03aa080d0ed6f8e511</open-checksum></data>
<data type="other"><location href="repodata/8a52c39f87df76e9b57185dacdec14654a001f4e0f23a6d2cbdf642c7a157e34-other.xml.gz" /><timestamp>1490218171</timestamp><size>140</size><checksum type="sha256">8a52c39f87df76e9b57185dacdec14654a001f4e0f23a6d2cbdf642c7a157e34</checksum><open-size>120</open-size><open-checksum type="sha256">b1715ac8e6eaca8d4194d6b3add82d483d6ef3e7e6a214d46e0ed22f30a006d4</open-checksum></data>
<data type="primary"><location href="repodata/8dc7807b1f58effa31df6df5da80ea87731ecf600c2becf47166115d91f93787-primary.xml.gz" /><timestamp>1490218171</timestamp><size>151</size><checksum type="sha256">8dc7807b1f58effa31df6df5da80ea87731ecf600c2becf47166115d91f93787</checksum><open-size>166</open-size><open-checksum type="sha256">9e9d5d6658e9c9221c3ee6116268f7445207f5c40b02d36f2a0991ac64889ee9</open-checksum></data>
<data type="updateinfo"><location href="repodata/36f5de7bdf0db8ae637f641dc862535811a9c616d2470ba69baf0ede722283e5-updateinfo.xml.gz" /><timestamp>1490218171</timestamp><size>92</size><checksum type="sha256">36f5de7bdf0db8ae637f641dc862535811a9c616d2470ba69baf0ede722283e5</checksum><open-size>51</open-size><open-checksum type="sha256">f5922ee6f9f76089a8135e281dbd0e88ae4765166a8b9c66659de709cc556f08</open-checksum></data>
<data type="group"><location href="repodata/a27718cc28ec6d71432e0ef3e6da544b7f9d93f6bb7d0a55aacd592d03144b70-comps.xml" /><timestamp>1490218171</timestamp><size>124</size><checksum type="sha256">a27718cc28ec6d71432e0ef3e6da544b7f9d93f6bb7d0a55aacd592d03144b70</checksum></data>
</repomd>
Actions #9

Updated by balonik about 6 years ago

I spent several hours trying to setup protected repos using 2.14.3 and I must say that its not working at all.
The referenced blog post from 2011 is using incorect OID value.
1.3.6.1.4.1.2312.9.2.0000.1.6=ASN1:UTF8:repos/myRepo/
should be only
1.3.6.1.4.1.2312.9.2.0000.1.6=ASN1:UTF8:myRepo/
because Pulp strips the pulp/repos/ from the request as I found in bug report from 2012 - https://bugzilla.redhat.com/show_bug.cgi?id=790157

You cannot have unprotected repos when switching 'enabled: true' in /etc/pulp/repo_auth.conf. All repos require client cert with the extension from that point on (I must look why this works on RHUI3).

I don't trust the options --host-ca, --auth-ca and --auth-cert at all.
--auth-cert - I have used different certifcate than provided in the repo create command, with configured OIDs and it worked
--host-ca - I don't understand how this can be of importance to client verification
--auth-ca - this is ignored as well, I have used different CA cert in the repo create command, but the client cert is always checked against the cacert value in server.conf

Actions #10

Updated by bmbouter almost 5 years ago

  • Status changed from NEW to CLOSED - WONTFIX

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #11

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF