Issue #1227
Updated by bmbouter over 8 years ago
In 2.7.9+ the default SSL verification behavior switched to start validating SSL certs which stops self-signed certs from being trusted. This was done through "PIP 476":https://www.python.org/dev/peps/pep-0476/. I was told in #python on Fedora that the default switch occurred in Python 2.7.9+. Fedora 22 is the first OS affected by this bug since it I believe fc21+ carries 2.7.10. Fedora 21 carries 2.7.8. 2.7.9+. To reproduce start with an empty pulp with no consumers and do the following: 1. Configure httpd to use a self-signed SSL crt 2. Verify you are have Python >= 2.7.9 by showing the version `python -V` 3. Register the pulp consumer as c1 by running: `sudo pulp-consumer -u admin -p admin register --consumer-id c1` and you'll see the following output: <pre> Download server RSA key failed [<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>] Consumer [c1] successfully registered </pre> 4. Notice that the registration did complete successfully as reported also by pulp-consumer when I run: `sudo pulp-consumer status` <pre> This consumer is registered to the server [example.com] with the ID [c1]. </pre> 5. The consumer is registered but unusable. First ensure that goferd is running. 6. Now try to have the consumer install a package by running: `pulp-admin -u admin -p admin rpm consumer package install run -n screen --consumer-id=c1` which shows: <pre> Install task created with id [ 28fdb0b6-16f0-4147-9eae-b104119b06af ] This command may be exited via ctrl+c without affecting the request. [-] Waiting to begin... </pre> 7. I had to restart goferd, but after doing so I saw the messages were rejected because the rsa_key wasn't properly fetched due to the SSL error. You'll see this in the logs on the consumer: <pre> pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) Task RMI (rejected): Rejected pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) sn : 7695fedd-fb5c-45e0-adf0-1792634d23b5 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) origin : None pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) timestamp : 2015-09-02T19:30:52Z pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) user data : {'task_id': 'c844b3f6-6b67-47db-b36d-8e1d18872cf4', 'consumer_id': 'c1'} pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) rejected </pre> This is especially strange because verify_ssl = False in my config file. I expect the verify_ssl = False to allow for the usage of untrusted certs like self-signed certs. Here are the contents of my ~/.pulp/consumer.conf <pre> [server] verify_ssl: False </pre> Also the contents of my /etc/pulp/consumer/consumer.conf <pre> [server] host = <my hostname> port = 443 verify_ssl = False [authentication] [client] [filesystem] [reboot] [logging] [output] [messaging] host = <my hostname> port = 5672 [profile] </pre>