[Pulp-list] Pulp, SSL, and you
Jason Dobies
jason.dobies at redhat.com
Mon Aug 23 20:33:41 UTC 2010
With the addition of consumer certificates to pulp-client, you need to
make sure your environment is set up correctly to be able to connect and
verify SSL with apache.
We now don't specify/include server-side SSL certificates in pulp.
Instead, we rely on apache's default ssl.conf configuration to provide
those. By default, apache will look to:
/etc/pki/tls/certs/localhost.crt
That is generated when apache is installed and has the CN of your
machine name. In order for the SSL verification to pass, your client
requests to the server must be made to the same hostname as the CN.
The error message you see has been updated in HEAD (but not the latest
build 0.54) to be pretty clear on what the hostname server is expecting
requests, so if you want to check you can run:
sudo openssl x509 -text -in /etc/pki/tls/certs/localhost.crt
Look for the Subject line. Mine is:
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization,
OU=SomeOrganizationalUnit, CN=guardian/emailAddress=root at guardian
Notice the CN is set to "guardian", which is the name of my machine. So
when my pulp-client connects, it has to either:
* pass --server=guardian
* configure /etc/rhui/client.conf to set the host to guardian
Also keep in mind that your /etc/hosts file may need to be edited in
order to resolve just the machine name (in most cases Fedora will do
this for you, but I've seen peoples' machines who didn't have this).
Make sure there's a mapping from 127.0.0.1 to the hostname you are going
to use:
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4 guardian
Ping me in the chat room if you run into issues.
--
Jason Dobies
RHCE# 805008743336126
Freenode: jdob
More information about the Pulp-list
mailing list