[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pulp-list] Pulp, SSL, and you



With the addition of consumer certificates to pulp-client, you need to
make sure your environment is set up correctly to be able to connect and
verify SSL with apache.

We now don't specify/include server-side SSL certificates in pulp.
Instead, we rely on apache's default ssl.conf configuration to provide
those. By default, apache will look to:

/etc/pki/tls/certs/localhost.crt

That is generated when apache is installed and has the CN of your
machine name. In order for the SSL verification to pass, your client
requests to the server must be made to the same hostname as the CN.

The error message you see has been updated in HEAD (but not the latest
build 0.54) to be pretty clear on what the hostname server is expecting
requests, so if you want to check you can run:

sudo openssl x509 -text -in /etc/pki/tls/certs/localhost.crt

Look for the Subject line. Mine is:

Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization,
OU=SomeOrganizationalUnit, CN=guardian/emailAddress=root guardian

Notice the CN is set to "guardian", which is the name of my machine. So
when my pulp-client connects, it has to either:

* pass --server=guardian
* configure /etc/rhui/client.conf to set the host to guardian

Also keep in mind that your /etc/hosts file may need to be edited in
order to resolve just the machine name (in most cases Fedora will do
this for you, but I've seen peoples' machines who didn't have this).
Make sure there's a mapping from 127.0.0.1 to the hostname you are going
to use:

127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4 guardian

Ping me in the chat room if you run into issues.

-- 
Jason Dobies
RHCE# 805008743336126
Freenode: jdob


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]