https://pulp.plan.io/https://pulp.plan.io/favicon.ico2020-05-19T14:35:09ZPulpCertGuard - Issue #6762: Cannot sync a remote that's using a x509 content guard https://pulp.plan.io/issues/6762?journal_id=567472020-05-19T14:35:09Zfao89
<ul><li><strong>Project</strong> changed from <i>Pulp</i> to <i>CertGuard</i></li><li><strong>Triaged</strong> changed from <i>No</i> to <i>Yes</i></li></ul> CertGuard - Issue #6762: Cannot sync a remote that's using a x509 content guard https://pulp.plan.io/issues/6762?journal_id=569302020-05-22T19:29:04Zbmbouterbmbouter@redhat.com
<ul></ul><p>The original implementation of certguard used the <code>SSL-CLIENT-CERTIFICATE</code> but this was problematic for exactly the reasons you're running into. The implementation was switched to having the cert arrive via the TLS connection itself with this ticket <a href="https://pulp.plan.io/issues/6352" class="external">https://pulp.plan.io/issues/6352</a> Those changes are released today 0.1.0rc5.</p>
<p>The downside is that the migrations had to be remade from scratch due to technical reasons. So for you to upgrade to the latest, you'll have to remove your existing use of certguard, delete certguard tables from your DB, and reinstall certguard 0.1.0rc5 (just released) and reapply your migrations. Reach out on pulp-list, comment here, or come to #pulp on irc for some help doing ^ if you like.</p>
<p>As of now 0.1.0rc5 is the latest version and likely will become the GA here in 2-3 weeks, so I only expect you to go through this huge hassle once. After that you should be able to use Pulp to sync via the Remote.client_cert and Remote.client_key features of Pulp. I filed a ticket for us to add a functional test for this, but I believe it works already. <a href="https://pulp.plan.io/issues/6810" class="external">https://pulp.plan.io/issues/6810</a> That outlines roughly the procedure you should use.</p>
<p>Let me know how it goes, and I regret you not having a clean upgrade path for this. Any feedback is welcome.</p> CertGuard - Issue #6762: Cannot sync a remote that's using a x509 content guard https://pulp.plan.io/issues/6762?journal_id=570312020-05-27T09:51:14Zdavid.macneil@actual-experience.com
<ul></ul><p>Many thanks for the update on this. We have, for now, worked around the issue but I'll let you know if we have reason / chance to test what you've suggested. We'll probably wait for the next time we want to perform an upgrade however so hopefully there will be a stable upgrade path at that time. The reason for this migration was to upgrade from pulpcore 3.1.1 to 3.3.1 make use of the s3 plugin.</p> CertGuard - Issue #6762: Cannot sync a remote that's using a x509 content guard https://pulp.plan.io/issues/6762?journal_id=570702020-05-27T18:27:57Zbmbouterbmbouter@redhat.com
<ul><li><strong>Status</strong> changed from <i>NEW</i> to <i>CLOSED - WORKSFORME</i></li></ul><p>I believe this working so I'm going to close as WORKSFORME. Please comment if there is something we should do to make this better. Thank you for filing it.</p> CertGuard - Issue #6762: Cannot sync a remote that's using a x509 content guard https://pulp.plan.io/issues/6762?journal_id=572662020-05-28T21:13:44Zbmbouterbmbouter@redhat.com
<ul></ul><p><a href="mailto:david.macneil@actual-experience.com" class="email">david.macneil@actual-experience.com</a> wrote:</p>
<blockquote>
<p>Many thanks for the update on this. We have, for now, worked around the issue but I'll let you know if we have reason / chance to test what you've suggested. We'll probably wait for the next time we want to perform an upgrade however so hopefully there will be a stable upgrade path at that time. The reason for this migration was to upgrade from pulpcore 3.1.1 to 3.3.1 make use of the s3 plugin.</p>
</blockquote>
<p>Sounds good. If you can start from a GA release there will absolutely be an upgrade path. Unfortunately if you're using <= 0.1.0rc3 you'll have to uninstall + drop certguard tables + install.</p>
<p>Way to go with the S3 usage! If there is anything we can help with let us know.</p>