Issue #475

Deprecate the [server] ssl_ca_certificate setting, replacing with a new CA path setting

Added by rbarlow about 5 years ago. Updated 2 days ago.

Start date:
Due date:
2. Medium
Platform Release:
Blocks Release:
Backwards Incompatible:
Sprint Candidate:
Pulp 2
QA Contact:
Smash Test:
Verification Required:


We currently have a setting in the [server] section of server.conf called ssl_ca_certificate. It must be a path to a specific CA certificate that is used for consumer yum repo files to validate that the Yum repository's SSL certificate is trusted.

Unfortunately there is also a setting called ca_cert, which is the certificate that Pulp uses to sign client certificates for authentication. These settings have little to do with one another yet have a meaning conflict in their names.

This should be removed. Instead we should have a consumer bool setting (i.e., not in server.conf) that allows the user to specify whether Yum should validate the server's signature with an authority pack. Additionally, a setting for a path to a directory containing certificates should be created so the user can provide their own certificate packs if they wish.

+ This bug was cloned from Bugzilla Bug #1123509 +

clipboard-201908051705-uboe0.png (8.05 KB) susannelson, 08/05/2019 12:05 PM clipboard-201908051705-uboe0.png
clipboard-201911121939-8vqz1.png (1.47 KB) deannawilliam, 11/12/2019 03:39 PM clipboard-201911121939-8vqz1.png


#1 Updated by rbarlow about 5 years ago

I think this might be important to do with 3.0. This setting cannot be used in a safe way, because it requires the consumer machine to have already registered and to have bound a repo before it can take any effect. This means that the consumer machines must already have trust on Pulp's CA certificate since they cannot safely use pulp-consumer without it. If the consumer machines already have trust on Pulp's CA, this setting isn't useful.

This setting also has a lot of potential for confusion, since it has such a general name and since its name is extremely similar to the cacert setting.

I'll untriage it so its priority and target release can be reconsidered. I've also removed the FutureFeature and RFE tags since this isn't really a feature but is truly a defect.

+ This comment was cloned from Bugzilla #1123509 comment 1 +

#2 Updated by rbarlow about 5 years ago

Maybe we can go ahead and deprecate this setting now, but remove it in 3.0. Should we have two bugs for this? One for derecation (this one), and another for removal?

+ This comment was cloned from Bugzilla #1123509 comment 2 +

#3 Updated by about 5 years ago

2.6 just deprecates the setting. On completion, re-assign to 3.0.

+ This comment was cloned from Bugzilla #1123509 comment 3 +

#4 Updated by about 5 years ago Not moving to POST. Once the PR is approved and merged, this bug will be moved to 3.0 target release for actually removing the settings.

+ This comment was cloned from Bugzilla #1123509 comment 4 +

#5 Updated by about 5 years ago

Merged Moving to 3.0 target relase.

+ This comment was cloned from Bugzilla #1123509 comment 5 +

#6 Updated by about 5 years ago

  • Backwards Incompatible changed from No to Yes

#7 Updated by about 5 years ago

  • Platform Release deleted (3.0.0)

#8 Updated by bmbouter about 5 years ago

  • Severity changed from Medium to 2. Medium

#9 Updated by bmbouter 12 months ago

  • Status changed from NEW to CLOSED - WONTFIX

#10 Updated by bmbouter 12 months ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

#11 Updated by bmbouter 12 months ago

  • Tags Pulp 2 added

#13 Updated by deannawilliam 5 months ago


Computer backup systems have fallen dramatically in price since the introduction of cloud storage. You can now leverage cloud platforms as a simple and scalable way of backing up your information without ever having to worry about the infrastructure.

#14 Updated by lindcarl 4 months ago

Nice to see this post here and thanks for sharing this to us.

#15 Updated by Marquardt 2 days ago

Rosie’s Place relies solely on the generous support of individuals, foundations and corporations and does not accept any city, state or federal funding. jigsaw puzzle

Please register to edit this issue

Also available in: Atom PDF