Project

Profile

Help

Issue #7268

closed

Pulp can't connect to server with self signed certificates

Added by cmeissner almost 2 years ago. Updated about 1 year ago.

Status:
CLOSED - WORKSFORME
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Master
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Single Container
Sprint:
Quarter:

Description

We try the scripts from pulp-rpm and we get the following error:

{
  "pulp_href": "/pulp/api/v3/tasks/7279ef70-2ec6-43a4-8f67-a2b3bc8bea29/",
  "pulp_created": "2020-08-04T12:55:33.163985Z",
  "state": "failed",
  "name": "pulp_rpm.app.tasks.synchronizing.synchronize",
  "started_at": "2020-08-04T12:55:33.240388Z",
  "finished_at": "2020-08-04T12:55:33.778391Z",
  "error": {
    "traceback": "  File \"/usr/local/lib/python3.7/site-packages/rq/worker.py\", line 883, in perform_job\n    rv = job.perform()\n  File \"/usr/local/lib/python3.7/site-packages/rq/job.py\", line 657, in perform\n    self._result = self._execute()\n  File \"/usr/local/lib/python3.7/site-packages/rq/job.py\", line 663, in _execute\n    return self.func(*self.args, **self.kwargs)\n  File \"/usr/local/lib/python3.7/site-packages/pulp_rpm/app/tasks/synchronizing.py\", line 129, in synchronize\n    treeinfo = get_treeinfo_data(remote)\n  File \"/usr/local/lib/python3.7/site-packages/pulp_rpm/app/kickstart/treeinfo.py\", line 24, in get_treeinfo_data\n    result = downloader.fetch()\n  File \"/usr/local/lib/python3.7/site-packages/pulpcore/download/base.py\", line 160, in fetch\n    return done.pop().result()\n  File \"/usr/local/lib/python3.7/site-packages/pulpcore/download/base.py\", line 227, in run\n    return await self._run(extra_data=extra_data)\n  File \"/usr/local/lib/python3.7/site-packages/backoff/_async.py\", line 133, in retry\n    ret = await target(*args, **kwargs)\n  File \"/usr/local/lib/python3.7/site-packages/pulpcore/download/http.py\", line 197, in _run\n    async with self.session.get(self.url, proxy=self.proxy, auth=self.auth) as response:\n  File \"/usr/local/lib64/python3.7/site-packages/aiohttp/client.py\", line 1012, in __aenter__\n    self._resp = await self._coro\n  File \"/usr/local/lib64/python3.7/site-packages/aiohttp/client.py\", line 483, in _request\n    timeout=real_timeout\n  File \"/usr/local/lib64/python3.7/site-packages/aiohttp/connector.py\", line 523, in connect\n    proto = await self._create_connection(req, traces, timeout)\n  File \"/usr/local/lib64/python3.7/site-packages/aiohttp/connector.py\", line 859, in _create_connection\n    req, traces, timeout)\n  File \"/usr/local/lib64/python3.7/site-packages/aiohttp/connector.py\", line 1004, in _create_direct_connection\n    raise last_exc\n  File \"/usr/local/lib64/python3.7/site-packages/aiohttp/connector.py\", line 986, in _create_direct_connection\n    req=req, client_error=client_error)\n  File \"/usr/local/lib64/python3.7/site-packages/aiohttp/connector.py\", line 939, in _wrap_create_connection\n    req.connection_key, exc) from exc\n",
    "description": "Cannot connect to host fixtures.pulpproject.org:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)')]"
  },
  "worker": "/pulp/api/v3/workers/d20ffb20-545c-4d65-b7e3-6185f7d25b89/",
  "parent_task": null,
  "child_tasks": [],
  "task_group": null,
  "progress_reports": [],
  "created_resources": [],
  "reserved_resources_record": [
    "/pulp/api/v3/repositories/rpm/rpm/0c392a49-6b82-4171-a393-c64e0f544399/",
    "/pulp/api/v3/remotes/rpm/rpm/ad6ca5ac-d2d8-4d05-90a2-4b39f1ea1f36/"
  ]
}

Obviously pulp can't connect to a server which use a self signed certificate. We looked in documentation but there seems no configuration option to make pulp able to handle self signed certificates or don't verify such kind of certificates.

Is there an option to configure pulp to don't verify ssl certificates?

Actions #1

Updated by dkliban@redhat.com almost 2 years ago

Each remote has a 'tls_validation' option. You need to set it to False. The RPMRemote API is described here[0].

[0] https://pulp-rpm.readthedocs.io/en/3.4/restapi.html#operation/remotes_rpm_rpm_create

Actions #2

Updated by fao89 almost 2 years ago

  • Status changed from NEW to CLOSED - WORKSFORME
Actions #3

Updated by daviddavis about 1 year ago

  • Tags Single Container added

Also available in: Atom PDF