Project

Profile

Help

Issue #1227

Updated by bmbouter over 8 years ago

In 2.7.9+ the default SSL verification behavior switched to start validating SSL certs which stops self-signed certs from being trusted. This was done through "PIP 476":https://www.python.org/dev/peps/pep-0476/. I was told in #python on Fedora that the default switch occurred in Python 2.7.9+. Fedora 22 is the first OS affected by this bug since it I believe fc21+ carries 2.7.10. Fedora 21 carries 2.7.8. 2.7.9+. 

 To reproduce start with an empty pulp with no consumers and do the following: 

 1. Configure httpd to use a self-signed SSL crt 
 2. Verify you are have Python >= 2.7.9 by showing the version `python -V` 
 3. Register the pulp consumer as c1 by running: `sudo pulp-consumer -u admin -p admin register --consumer-id c1` and you'll see the following output: 

 <pre> 
 Download server RSA key failed [<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] 
 certificate verify failed (_ssl.c:590)>] 

 Consumer [c1] successfully registered 
 </pre> 

 4. Notice that the registration did complete successfully as reported also by pulp-consumer when I run: `sudo pulp-consumer status` 

 <pre> 
 This consumer is registered to the server [example.com] with the 
 ID [c1]. 
 </pre> 

 5. The consumer is registered but unusable. First ensure that goferd is running. 

 6. Now try to have the consumer install a package by running: `pulp-admin -u admin -p admin rpm consumer package install run -n screen --consumer-id=c1` which shows: 

 <pre> 
 Install task created with id [ 28fdb0b6-16f0-4147-9eae-b104119b06af ] 

 This command may be exited via ctrl+c without affecting the request. 


 [-] 
 Waiting to begin... 
 </pre> 

 7. I had to restart goferd, but after doing so I saw the messages were rejected because the rsa_key wasn't properly fetched due to the SSL error. You'll see this in the logs on the consumer: 

 <pre> 
 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) Task RMI (rejected): Rejected 
 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664)     sn : 7695fedd-fb5c-45e0-adf0-1792634d23b5   
 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664)     origin : None 
 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664)     timestamp : 2015-09-02T19:30:52Z 
 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664)     user data : {'task_id': 'c844b3f6-6b67-47db-b36d-8e1d18872cf4', 'consumer_id': 'c1'} 
 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) rejected 
 </pre> 

 This is especially strange because verify_ssl = False in my config file. I expect the verify_ssl = False to allow for the usage of untrusted certs like self-signed certs. Here are the contents of my ~/.pulp/consumer.conf 

 <pre> 
 [server] 
 verify_ssl: False 
 </pre> 

 Also the contents of my /etc/pulp/consumer/consumer.conf 

 <pre> 
 [server] 
 host = <my hostname> 
 port = 443 
 verify_ssl = False 

 [authentication] 

 [client] 

 [filesystem] 

 [reboot] 

 [logging] 

 [output] 

 [messaging] 
 host = <my hostname> 
 port = 5672 

 [profile] 
 </pre>

Back