[katello-devel] Katello SSL issues

Lukas Zapletal lzap at redhat.com
Wed Dec 7 09:35:40 UTC 2011 

Jeff, those are good points.

It looks like a sprint task for Pulp team to get it working. Now,
correct me if I am wrong, but our main idea is to have one "main"
(Katello) CA that will sign all the others.

LZ

On Tue, Dec 06, 2011 at 04:29:57PM -0500, Jeff Weiss wrote:
> On Tue, 2011-12-06 at 17:14 +0100, Lukas Zapletal wrote:
> > Hey,
> > 
> > as I wrote yesterday, I accepted Tomas' patch. We have now the tool and
> > few Puppet steps which generate CA cert and Apache http/Qpid certs, but
> > they are unused right now.
> > 
> > I would recommend to postpone work on SSL certs until end of next week.
> > Then we can re-enable them and start with tuning and testing. I expect
> > some changes on the Candlepin/Pulp side, because the plan is to have
> > "the big" Katello CA and have all certificates signed with it. That
> > could possibly cause troubles (instead checking one CA clients will need
> > to check the whole chain). Instead of big bang, I would stick with
> > step-by-step approach. We can start with Pulp as I think the integration
> > should be easier and then move on with Candlepin (that's gonna hurt).
> > 
> > By the way there is/was an issue with our SSL generation due to race
> > condition/working directory issue in Puppet. I hope this is solved now,
> > but until packages get built, please make sure you start
> > katello-configure in the /root directory:
> > 
> > pushd /root && katello-configure && popd
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=760280
> > 
> > Please not there is also another bug, if you do not have FQDN properly
> > set, Puppet "guess" it from /etc/resolv.conf which cause troubles. Fix
> > have been commited moments ago:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=760265
> > 
> > In short - katello-configure-0.1.26-1 should be fine. Please report
> > here.
> > 
> 
> I've done a lot of testing with SSL already - browsers don't like
> self-signed certs, and automated testing with Selenium can't get past
> the warning by itself.  So I started using my own CA to sign the
> candlepin certs.
> 
> With a bit of scripting to sign and copy the certs to the right places,
> the Katello UI works fine.  With a bit more configuring of apache, RHSM
> clients can register.
> 
> But I got totally stuck where Pulp cannot validate the client certs
> coming from RHSM.  I believe the problem may be that pulp will only
> check against one cert, not the whole chain (it fails if there's more
> than 1 in the chain).  The katello installer sets up pulp to point at
> Candlepin's cert but doesn't include my CA in the chain.  But it's more
> than that, I suspect. I don't think pulp is even capable of pointing at
> multiple CA files, and it doesn't seem to accept them concatenated
> together the way most SSL libs do.  
> 
> Jay Dobies was helping me out with this a few weeks ago but we did not
> finish getting to the root of the problem.
> 
> 
> -- 
> Jeff Weiss
> Principal Quality Assurance Engineer
> jweiss at redhat.com
> (919)754-4178
> 
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel

-- 
Later,

 Lukas Zapletal | E32E400A
 RHN Satellite Engineering
 Red Hat Czech s.r.o. Brno

More information about the katello-devel mailing list