Project

Profile

Help

Issue #3256

closed

all sslclientcert in pulp.repo are called client.crt

Added by balonik almost 7 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.18.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Hi,

When binding pulp consumer to more protected repositories, all sslclientcert in pulp.repo are named 'client.crt'.
This causes the old curl/yum error:
Error: sslclientcert basename shared between foo and bar

Environment:
RHEL 7.4
pulp-consumer-client-2.14.3-1.el7.noarch

Steps on the Pulp server:
Create entlitlement certs as per https://pulpproject.org/2011/05/18/pulp-protected-repositories/

  1. pulp-admin rpm repo create --repo-id=foo --display-name=foo --relative-url=foo --repoview=false --host-ca=/etc/httpd/ssl/ca.crt --auth-ca=/etc/httpd/ssl/ca.crt --auth-cert=/etc/httpd/ssl/foo.crt
  2. pulp-admin rpm repo create --repo-id=bar --display-name=bar --relative-url=bar --repoview=false --host-ca=/etc/httpd/ssl/ca.crt --auth-ca=/etc/httpd/ssl/ca.crt --auth-cert=/etc/httpd/ssl/bar.crt
  3. pulp-admin rpm repo publish run --repo-id=foo
  4. pulp-admin rpm repo publish run --repo-id=bar

Expected Result:
On the Pulp consumer, register it against server and bind the repositories.

  1. pulp-consumer rpm bind --repo-id=foo
    Bind tasks successfully created:

Task Id: 51c45868-2a59-4b31-a933-31a34ab22c1f

  1. pulp-consumer rpm bind --repo-id=bar
    Bind tasks successfully created:

Task Id: c4d864e1-65d1-4714-8db9-5536698d9a6e

  1. yum repolist
    <normal yum output here>

Actual result:
On the Pulp consumer, register it against server and bind the repositories.

  1. pulp-consumer rpm bind --repo-id=foo
    Bind tasks successfully created:

Task Id: 51c45868-2a59-4b31-a933-31a34ab22c1f

  1. pulp-consumer rpm bind --repo-id=bar
    Bind tasks successfully created:

Task Id: c4d864e1-65d1-4714-8db9-5536698d9a6e

  1. yum repolist
    Loaded plugins: langpacks, pulp-profile-update
    Error: sslclientcert basename shared between foo and bar

Content of pulp.repo:

  1. cat /etc/yum.repos.d/pulp.repo
    #
  2. Pulp Repositories
  3. Managed by Pulp client
    #

[foo]
name = foo
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/tls/certs/ca-bundle.crt
sslclientcert = /etc/pki/pulp/client/repo/foo/client.crt
baseurl = https://pulpserver/pulp/repos/foo

[bar]
name = bar
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/tls/certs/ca-bundle.crt
sslclientcert = /etc/pki/pulp/client/repo/bar/client.crt
baseurl = https://pulpserver/pulp/repos/bar

Actions #1

Updated by bmbouter almost 7 years ago

  • Triaged changed from No to Yes

Thanks for filing such a great bug description. I think the change would be backwards incompatible, but since it's a bug and it requires that change I believe semver.org allows us to make that change anyway. We should call it out in the release notes though that call out the change. Practically speaking I don't think the change will disturb many users.

I think the repo name could be used as the filename. So the cert would be called foo/foo.cert instead of foo/client.crt

@balonik, is there any way you would be able to send a fix for this issue? The core devs could help guide and review it. If you're interested in that (or if someone else is), come into #pulp-dev on irc and we can talk about how to fix it.

Actions #2

Updated by balonik almost 7 years ago

Hi,
I can try to come with a fix. Against which branch in github should be the PR raised?

Actions #3

Updated by ttereshc almost 7 years ago

@balonik, please, open PRs against master branch for any fixes in Pulp 2. Thanks!

Actions #5

Updated by dalley over 6 years ago

  • Status changed from NEW to POST
  • Assignee set to balonik

Added by balonik over 6 years ago

Revision 6728a935 | View on GitHub

Avoid client certificate basenames shared between repos

Some older versions of the Yum client (such as those shipped with RedHat/CentOS 7) are compiled against nss which in turn considers certificates with the same basename as same certificates[1,2,3,4]. Pulp using repo directories to namespace client certificates (e.g /etc/pki/pulp/client/repo/foo/client.crt) leads to Yum refusing to use multiple protected repos simultaneously.

This patch works around the situation by generating cert file basenames with the repository name as a prefix.

Fixes: #3256 https://pulp.plan.io/issues/3256

[1] http://yum-devel.baseurl.narkive.com/pTxDzeaR/patch-document-basename-checking-of-ssl-cert-files [2] https://github.com/jbraeuer/yum-s3/blob/master/SOURCES/BZ-695427-basename-cert-warn-check.patch#L51 [3] http://lists.baseurl.org/pipermail/yum-devel/2012-December/009818.html [4] https://bugzilla.redhat.com/show_bug.cgi?id=885159

Added by milan over 6 years ago

Revision a60d44be | View on GitHub

Fix cert unittests

Cert file unittests are not up-to-date with the change of the client cert relative path.

Closes: #3256 https://pulp.plan.io/issues/3256

Actions #6

Updated by balonik over 6 years ago

  • Status changed from POST to MODIFIED
Actions #7

Updated by milan over 6 years ago

Actions #8

Updated by dkliban@redhat.com over 6 years ago

  • Platform Release set to 2.18.0
Actions #9

Updated by ttereshc about 6 years ago

  • Sprint/Milestone set to 2.18.0
Actions #10

Updated by ttereshc about 6 years ago

  • Status changed from MODIFIED to 5
Actions #11

Updated by ttereshc about 6 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #12

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF