Issue #3256
closed
all sslclientcert in pulp.repo are called client.crt
Description
Hi,
When binding pulp consumer to more protected repositories, all sslclientcert in pulp.repo are named 'client.crt'.
This causes the old curl/yum error:
Error: sslclientcert basename shared between foo and bar
Environment:
RHEL 7.4
pulp-consumer-client-2.14.3-1.el7.noarch
Steps on the Pulp server:
Create entlitlement certs as per https://pulpproject.org/2011/05/18/pulp-protected-repositories/
- pulp-admin rpm repo create --repo-id=foo --display-name=foo --relative-url=foo --repoview=false --host-ca=/etc/httpd/ssl/ca.crt --auth-ca=/etc/httpd/ssl/ca.crt --auth-cert=/etc/httpd/ssl/foo.crt
- pulp-admin rpm repo create --repo-id=bar --display-name=bar --relative-url=bar --repoview=false --host-ca=/etc/httpd/ssl/ca.crt --auth-ca=/etc/httpd/ssl/ca.crt --auth-cert=/etc/httpd/ssl/bar.crt
- pulp-admin rpm repo publish run --repo-id=foo
- pulp-admin rpm repo publish run --repo-id=bar
Expected Result:
On the Pulp consumer, register it against server and bind the repositories.
- pulp-consumer rpm bind --repo-id=foo
Bind tasks successfully created:
Task Id: 51c45868-2a59-4b31-a933-31a34ab22c1f
- pulp-consumer rpm bind --repo-id=bar
Bind tasks successfully created:
Task Id: c4d864e1-65d1-4714-8db9-5536698d9a6e
- yum repolist
<normal yum output here>
Actual result:
On the Pulp consumer, register it against server and bind the repositories.
- pulp-consumer rpm bind --repo-id=foo
Bind tasks successfully created:
Task Id: 51c45868-2a59-4b31-a933-31a34ab22c1f
- pulp-consumer rpm bind --repo-id=bar
Bind tasks successfully created:
Task Id: c4d864e1-65d1-4714-8db9-5536698d9a6e
- yum repolist
Loaded plugins: langpacks, pulp-profile-update
Error: sslclientcert basename shared between foo and bar
Content of pulp.repo:
- cat /etc/yum.repos.d/pulp.repo
# - Pulp Repositories
- Managed by Pulp client
#
[foo]
name = foo
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/tls/certs/ca-bundle.crt
sslclientcert = /etc/pki/pulp/client/repo/foo/client.crt
baseurl = https://pulpserver/pulp/repos/foo
[bar]
name = bar
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/tls/certs/ca-bundle.crt
sslclientcert = /etc/pki/pulp/client/repo/bar/client.crt
baseurl = https://pulpserver/pulp/repos/bar
.
Avoid client certificate basenames shared between repos
Some older versions of the Yum client (such as those shipped with RedHat/CentOS 7) are compiled against nss which in turn considers certificates with the same basename as same certificates[1,2,3,4]. Pulp using repo directories to namespace client certificates (e.g /etc/pki/pulp/client/repo/foo/client.crt) leads to Yum refusing to use multiple protected repos simultaneously.
This patch works around the situation by generating cert file basenames with the repository name as a prefix.
Fixes: #3256 https://pulp.plan.io/issues/3256
[1] http://yum-devel.baseurl.narkive.com/pTxDzeaR/patch-document-basename-checking-of-ssl-cert-files [2] https://github.com/jbraeuer/yum-s3/blob/master/SOURCES/BZ-695427-basename-cert-warn-check.patch#L51 [3] http://lists.baseurl.org/pipermail/yum-devel/2012-December/009818.html [4] https://bugzilla.redhat.com/show_bug.cgi?id=885159