[katello-devel] Katello SSL issues

Jeff Weiss jweiss at redhat.com
Tue Dec 6 21:29:57 UTC 2011 

On Tue, 2011-12-06 at 17:14 +0100, Lukas Zapletal wrote:
> Hey,
> 
> as I wrote yesterday, I accepted Tomas' patch. We have now the tool and
> few Puppet steps which generate CA cert and Apache http/Qpid certs, but
> they are unused right now.
> 
> I would recommend to postpone work on SSL certs until end of next week.
> Then we can re-enable them and start with tuning and testing. I expect
> some changes on the Candlepin/Pulp side, because the plan is to have
> "the big" Katello CA and have all certificates signed with it. That
> could possibly cause troubles (instead checking one CA clients will need
> to check the whole chain). Instead of big bang, I would stick with
> step-by-step approach. We can start with Pulp as I think the integration
> should be easier and then move on with Candlepin (that's gonna hurt).
> 
> By the way there is/was an issue with our SSL generation due to race
> condition/working directory issue in Puppet. I hope this is solved now,
> but until packages get built, please make sure you start
> katello-configure in the /root directory:
> 
> pushd /root && katello-configure && popd
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=760280
> 
> Please not there is also another bug, if you do not have FQDN properly
> set, Puppet "guess" it from /etc/resolv.conf which cause troubles. Fix
> have been commited moments ago:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=760265
> 
> In short - katello-configure-0.1.26-1 should be fine. Please report
> here.
> 

I've done a lot of testing with SSL already - browsers don't like
self-signed certs, and automated testing with Selenium can't get past
the warning by itself.  So I started using my own CA to sign the
candlepin certs.

With a bit of scripting to sign and copy the certs to the right places,
the Katello UI works fine.  With a bit more configuring of apache, RHSM
clients can register.

But I got totally stuck where Pulp cannot validate the client certs
coming from RHSM.  I believe the problem may be that pulp will only
check against one cert, not the whole chain (it fails if there's more
than 1 in the chain).  The katello installer sets up pulp to point at
Candlepin's cert but doesn't include my CA in the chain.  But it's more
than that, I suspect. I don't think pulp is even capable of pointing at
multiple CA files, and it doesn't seem to accept them concatenated
together the way most SSL libs do.  

Jay Dobies was helping me out with this a few weeks ago but we did not
finish getting to the root of the problem.


-- 
Jeff Weiss
Principal Quality Assurance Engineer
jweiss at redhat.com
(919)754-4178

More information about the katello-devel mailing list