Issue #4506
closed
ssl_client_* and ssl_ca_certificate remote options are difficult to use
Description
The three options:
ssl_ca_certificate
ssl_client_certificate
ssl_client_key
take pem encoded certs, which is base64 encoded, however when i use the bindings to pass them in, pulp throws an error:
{"ssl_ca_certificate":["The submitted data was not a file. Check the encoding type on the
form."],"ssl_client_certificate":["The submitted data was not a file. Check the encoding type on the
form."],"ssl_client_key":["The submitted data was not a file. Check the encoding type on the form."]}
this seem to indicate that they need to be uploaded as a multi-part form (as files)? I'd expect the bindings to handle this if it were the case, but i'm not really sure it'd need to be the case?
In addition, these options are not documented in the remote_file_file_create api, even though the api seems to try to accept them.
Related issues
Updated by dkliban@redhat.com over 5 years ago
- Project changed from File Support to Pulp
Updated by daviddavis over 5 years ago
- Related to Task #2455: Store SSL certificates on the filesystem instead of DB added
Updated by dkliban@redhat.com over 5 years ago
It looks like the serializer is not exposing these fields so the documentation and bindings don't mention any of these parameters. When the bindings work correctly, the user is supposed to provide a path to a file for each cert and key. The bindings do all the file handling to do the upload.
The FileFields on the Remote make this behaviour possible. However, they also produce paths to files as responses for a GET. The response should contain either the whole content of a key/cert or a digest for it. Users would like to be able to verify that the Remote is configured as expected.
Updated by CodeHeeler over 5 years ago
- Priority changed from Normal to High
- Triaged changed from No to Yes
- Sprint set to Sprint 50
Updated by dkliban@redhat.com over 5 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to dkliban@redhat.com
Updated by dkliban@redhat.com over 5 years ago
- Status changed from ASSIGNED to POST
Updated by dkliban@redhat.com over 5 years ago
Even though we will accept the keys and certs as strings, we will not be able to load them into the sslcontext from memory. Python currently only supports loading the certs from memory[0], but not keys[1].
[0] https://bugs.python.org/issue18138
[1] https://bugs.python.org/issue16487
Added by dkliban@redhat.com over 5 years ago
Updated by dkliban@redhat.com over 5 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulpcore|0fea20fdd4c8544a0704c753cf491092714945ab.
Updated by kersom over 5 years ago
- Related to Test #5270: Test - Syncing with ssl client certs and ca cert added
Updated by kersom about 5 years ago
- Related to Issue #5352: Unable to sync using SSL certs from distribution with cert-guards added
Updated by bmbouter almost 5 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Updated by ggainey over 4 years ago
- Tags Katello added
- Tags deleted (
Katello-P1)
.
Problem: ssl fields on remote are hard to use
Solution: switch all ssl fields to TextField
This patch switches the storage of SSL certs, keys, and CAs from filesystem to database. This patch also introduces a new serializer field that returns a SHA256 digest for GET operations.
Required PR: https://github.com/pulp/pulpcore-plugin/pull/91
fixes: #4506 https://pulp.plan.io/issues/4506
re: #4676 https://pulp.plan.io/issues/4676