Update yum/dnf documentation on how .repo files can be configured to present a client cert and key
The cert and key from clients now occur during TLS submission. That means these docs are out of date.
We should update the docs to show how a yum/dnf client can be configured to submit the cert and key via TLS.
#2 Updated by OnceUponALoop 10 months ago
Hey all - I just watched the "Pulp certguard Tour - 2020.05.20" youtube video, thank you for putting that together it was useful.
I especially appreciate the dev overview of the code structure in the end. It makes it easier to jump in by saving all the "what the hell is going on here" upfront cost.
Regarding the yum configuration - I'm familiar enough with the topic that I thought I could respond to the videos request for yum x509-auth configuration details.
Yum can either have the x509 cert info in the it's main configuration or in each repo configuration.
Assuming we've already configure Pulp and have placed the required certificates in
/etc/pki/entitelments/ (this is the default RHSM path, I'm not sure if there's a more standards-compliant path)
Define the x509 info in
/etc/yum.confand it will apply to all repos.
[main] # x509 Auth Info sslclientcert = /etc/pki/entitlement/<user-cert>.pem sslclientkey = /etc/pki/entitlement/<user-key>.pem sslcacert = /etc/pki/entitlement/<ca-cert>.pem
To exclude a certain repo from the x509 configuration, update the repo configuration as follows
[pulp-repo-clear] name = Unprotected Repo - Global x509 is configured baseurl = http://pulp.example.com/content/rpm/pulp-repo-clear sslverify = 1 enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PULP-REPO-CLEAR # Auth Not Needed sslclientcert = _none_ sslclientkey = _none_ sslcacert = _none_
Define the x509 info for each repo that supports certguard (if repos have different certguards) in
This is probably the most straightforward implementation, and should be recommended as it avoids all the corner cases as well.
[pulp-repo-cg] name = Cert Guard Protected Repo baseurl = http://pulp.example.com/content/rpm/pulp-repo-cg sslverify = 1 enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-MYREPO # x509 Auth sslclientcert = /etc/pki/entitlement/<user-cert>.pem sslclientkey = /etc/pki/entitlement/<user-key>.pem sslcacert = /etc/pki/entitlement/<ca-cert>.pem
Please register to edit this issue