Project

Profile

Help

Issue #3256

all sslclientcert in pulp.repo are called client.crt

Added by balonik almost 2 years ago. Updated 7 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Severity:
2. Medium
Version:
Platform Release:
2.18.0
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:

Description

Hi,

When binding pulp consumer to more protected repositories, all sslclientcert in pulp.repo are named 'client.crt'.
This causes the old curl/yum error:
Error: sslclientcert basename shared between foo and bar

Environment:
RHEL 7.4
pulp-consumer-client-2.14.3-1.el7.noarch

Steps on the Pulp server:
Create entlitlement certs as per https://pulpproject.org/2011/05/18/pulp-protected-repositories/
  1. pulp-admin rpm repo create --repo-id=foo --display-name=foo --relative-url=foo --repoview=false --host-ca=/etc/httpd/ssl/ca.crt --auth-ca=/etc/httpd/ssl/ca.crt --auth-cert=/etc/httpd/ssl/foo.crt
  2. pulp-admin rpm repo create --repo-id=bar --display-name=bar --relative-url=bar --repoview=false --host-ca=/etc/httpd/ssl/ca.crt --auth-ca=/etc/httpd/ssl/ca.crt --auth-cert=/etc/httpd/ssl/bar.crt
  3. pulp-admin rpm repo publish run --repo-id=foo
  4. pulp-admin rpm repo publish run --repo-id=bar
Expected Result:
On the Pulp consumer, register it against server and bind the repositories.
  1. pulp-consumer rpm bind --repo-id=foo
    Bind tasks successfully created:
Task Id: 51c45868-2a59-4b31-a933-31a34ab22c1f
  1. pulp-consumer rpm bind --repo-id=bar
    Bind tasks successfully created:

Task Id: c4d864e1-65d1-4714-8db9-5536698d9a6e

  1. yum repolist
    <normal yum output here>
Actual result:
On the Pulp consumer, register it against server and bind the repositories.
  1. pulp-consumer rpm bind --repo-id=foo
    Bind tasks successfully created:
Task Id: 51c45868-2a59-4b31-a933-31a34ab22c1f
  1. pulp-consumer rpm bind --repo-id=bar
    Bind tasks successfully created:

Task Id: c4d864e1-65d1-4714-8db9-5536698d9a6e

  1. yum repolist
    Loaded plugins: langpacks, pulp-profile-update
    Error: sslclientcert basename shared between foo and bar
Content of pulp.repo:
  1. cat /etc/yum.repos.d/pulp.repo #
  2. Pulp Repositories
  3. Managed by Pulp client #

[foo]
name = foo
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/tls/certs/ca-bundle.crt
sslclientcert = /etc/pki/pulp/client/repo/foo/client.crt
baseurl = https://pulpserver/pulp/repos/foo

[bar]
name = bar
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/tls/certs/ca-bundle.crt
sslclientcert = /etc/pki/pulp/client/repo/bar/client.crt
baseurl = https://pulpserver/pulp/repos/bar


Checklist

Associated revisions

Revision 6728a935 View on GitHub
Added by balonik about 1 year ago

Avoid client certificate basenames shared between repos

Some older versions of the Yum client (such as those shipped with
RedHat/CentOS 7) are compiled against nss which in turn considers
certificates with the same basename as same certificates[1,2,3,4].
Pulp using repo directories to namespace client certificates (e.g
/etc/pki/pulp/client/repo/foo/client.crt) leads to Yum refusing to use
multiple protected repos simultaneously.

This patch works around the situation by generating cert file basenames
with the repository name as a prefix.

Fixes: #3256
https://pulp.plan.io/issues/3256

[1] http://yum-devel.baseurl.narkive.com/pTxDzeaR/patch-document-basename-checking-of-ssl-cert-files
[2] https://github.com/jbraeuer/yum-s3/blob/master/SOURCES/BZ-695427-basename-cert-warn-check.patch#L51
[3] http://lists.baseurl.org/pipermail/yum-devel/2012-December/009818.html
[4] https://bugzilla.redhat.com/show_bug.cgi?id=885159

Revision a60d44be View on GitHub
Added by milan about 1 year ago

Fix cert unittests

Cert file unittests are not up-to-date with the change of the client cert
relative path.

Closes: #3256
https://pulp.plan.io/issues/3256

History

#1 Updated by bmbouter almost 2 years ago

  • Triaged changed from No to Yes

Thanks for filing such a great bug description. I think the change would be backwards incompatible, but since it's a bug and it requires that change I believe semver.org allows us to make that change anyway. We should call it out in the release notes though that call out the change. Practically speaking I don't think the change will disturb many users.

I think the repo name could be used as the filename. So the cert would be called foo/foo.cert instead of foo/client.crt

@balonik, is there any way you would be able to send a fix for this issue? The core devs could help guide and review it. If you're interested in that (or if someone else is), come into #pulp-dev on irc and we can talk about how to fix it.

#2 Updated by balonik almost 2 years ago

Hi,
I can try to come with a fix. Against which branch in github should be the PR raised?

#3 Updated by ttereshc almost 2 years ago

@balonik, please, open PRs against master branch for any fixes in Pulp 2. Thanks!

#5 Updated by dalley over 1 year ago

  • Status changed from NEW to POST
  • Assignee set to balonik

#6 Updated by balonik about 1 year ago

  • Status changed from POST to MODIFIED

#7 Updated by milan about 1 year ago

#8 Updated by dkliban@redhat.com about 1 year ago

  • Platform Release set to 2.18.0

#9 Updated by ttereshc about 1 year ago

  • Sprint/Milestone set to 2.18.0

#10 Updated by ttereshc 12 months ago

  • Status changed from MODIFIED to ON_QA

#11 Updated by ttereshc 12 months ago

  • Status changed from ON_QA to CLOSED - CURRENTRELEASE

#12 Updated by bmbouter 7 months ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF