Issue #3256
closedall sslclientcert in pulp.repo are called client.crt
Description
Hi,
When binding pulp consumer to more protected repositories, all sslclientcert in pulp.repo are named 'client.crt'.
This causes the old curl/yum error:
Error: sslclientcert basename shared between foo and bar
Environment:
RHEL 7.4
pulp-consumer-client-2.14.3-1.el7.noarch
Steps on the Pulp server:
Create entlitlement certs as per https://pulpproject.org/2011/05/18/pulp-protected-repositories/
- pulp-admin rpm repo create --repo-id=foo --display-name=foo --relative-url=foo --repoview=false --host-ca=/etc/httpd/ssl/ca.crt --auth-ca=/etc/httpd/ssl/ca.crt --auth-cert=/etc/httpd/ssl/foo.crt
- pulp-admin rpm repo create --repo-id=bar --display-name=bar --relative-url=bar --repoview=false --host-ca=/etc/httpd/ssl/ca.crt --auth-ca=/etc/httpd/ssl/ca.crt --auth-cert=/etc/httpd/ssl/bar.crt
- pulp-admin rpm repo publish run --repo-id=foo
- pulp-admin rpm repo publish run --repo-id=bar
Expected Result:
On the Pulp consumer, register it against server and bind the repositories.
- pulp-consumer rpm bind --repo-id=foo
Bind tasks successfully created:
Task Id: 51c45868-2a59-4b31-a933-31a34ab22c1f
- pulp-consumer rpm bind --repo-id=bar
Bind tasks successfully created:
Task Id: c4d864e1-65d1-4714-8db9-5536698d9a6e
- yum repolist
<normal yum output here>
Actual result:
On the Pulp consumer, register it against server and bind the repositories.
- pulp-consumer rpm bind --repo-id=foo
Bind tasks successfully created:
Task Id: 51c45868-2a59-4b31-a933-31a34ab22c1f
- pulp-consumer rpm bind --repo-id=bar
Bind tasks successfully created:
Task Id: c4d864e1-65d1-4714-8db9-5536698d9a6e
- yum repolist
Loaded plugins: langpacks, pulp-profile-update
Error: sslclientcert basename shared between foo and bar
Content of pulp.repo:
- cat /etc/yum.repos.d/pulp.repo
# - Pulp Repositories
- Managed by Pulp client
#
[foo]
name = foo
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/tls/certs/ca-bundle.crt
sslclientcert = /etc/pki/pulp/client/repo/foo/client.crt
baseurl = https://pulpserver/pulp/repos/foo
[bar]
name = bar
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/tls/certs/ca-bundle.crt
sslclientcert = /etc/pki/pulp/client/repo/bar/client.crt
baseurl = https://pulpserver/pulp/repos/bar
Updated by bmbouter almost 7 years ago
- Triaged changed from No to Yes
Thanks for filing such a great bug description. I think the change would be backwards incompatible, but since it's a bug and it requires that change I believe semver.org allows us to make that change anyway. We should call it out in the release notes though that call out the change. Practically speaking I don't think the change will disturb many users.
I think the repo name could be used as the filename. So the cert would be called foo/foo.cert
instead of foo/client.crt
@balonik, is there any way you would be able to send a fix for this issue? The core devs could help guide and review it. If you're interested in that (or if someone else is), come into #pulp-dev on irc and we can talk about how to fix it.
Updated by balonik almost 7 years ago
Hi,
I can try to come with a fix. Against which branch in github should be the PR raised?
Updated by ttereshc almost 7 years ago
@balonik, please, open PRs against master branch for any fixes in Pulp 2. Thanks!
Updated by balonik almost 7 years ago
Updated by dalley over 6 years ago
- Status changed from NEW to POST
- Assignee set to balonik
Added by balonik over 6 years ago
Added by milan over 6 years ago
Revision a60d44be | View on GitHub
Fix cert unittests
Cert file unittests are not up-to-date with the change of the client cert relative path.
Updated by balonik over 6 years ago
- Status changed from POST to MODIFIED
Applied in changeset 6728a935f7c6ce114f634e5b108a9436d886a9b4.
Updated by milan over 6 years ago
Applied in changeset a60d44be2bcd5dea6c484be871475d2cdec02d56.
Updated by ttereshc about 6 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
Avoid client certificate basenames shared between repos
Some older versions of the Yum client (such as those shipped with RedHat/CentOS 7) are compiled against nss which in turn considers certificates with the same basename as same certificates[1,2,3,4]. Pulp using repo directories to namespace client certificates (e.g /etc/pki/pulp/client/repo/foo/client.crt) leads to Yum refusing to use multiple protected repos simultaneously.
This patch works around the situation by generating cert file basenames with the repository name as a prefix.
Fixes: #3256 https://pulp.plan.io/issues/3256
[1] http://yum-devel.baseurl.narkive.com/pTxDzeaR/patch-document-basename-checking-of-ssl-cert-files [2] https://github.com/jbraeuer/yum-s3/blob/master/SOURCES/BZ-695427-basename-cert-warn-check.patch#L51 [3] http://lists.baseurl.org/pipermail/yum-devel/2012-December/009818.html [4] https://bugzilla.redhat.com/show_bug.cgi?id=885159