[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pulp-list] [katello-devel] Pulp Repo Auth configuration change



On Mon, Feb 20, 2012 at 09:57:55AM +0100, Lukas Zapletal wrote:
> Hey James,
> 
> in Katello, we do use GLOBAL CA CERT. Are we also affected with this
> bug? I understand it it only bites when using per-repo certs.
> 
> We only set cert_location in the repo_auth.conf.

Yes, this still affects you.

The global CA cert in the repo auth configuration just refers to the single CA
that has signed all the consumer entitlement certs as opposed to having a
different CA per protected repository.  It is not necessarily the same CA that
has signed the apache SSL certificate.  Although, in your particular case, I
believe it is since Katello uses the same CA multiple places.  However, pulp
has no way of knowing that, which is why we need this additional
ssl_ca_certificate configuration option.

> 
> LZ
> 
> On Thu, Feb 16, 2012 at 04:18:47PM -0500, James Slagle wrote:
> > I just fixed a bug which was sending down the wrong CA certificate to use to
> > verify the server during a yum operation on a pulp consumer.  The fix has not
> > yet been included in a release, but if you're running from a git checkout,
> > this could affect your setup.
> > 
> > The fix makes use of the ssl_ca_certificate configuration option in
> > /etc/pulp/pulp.conf.  This option must be set to the full path of the CA
> > certificate that signed the server's httpd SSL certificate.  If not set, it
> > will default to /etc/pki/pulp/ssl_ca.crt.  The path must be readable by the
> > apache user.
> > 
> > If you're using a self signed certificate, then provide the path to that
> > certificate, it serves as both the server certficiate and a CA certificate.
> > 
> > If you have repo auth enabled in your pulp setup, be sure to make this
> > configuration change.
> > 
> > Here's the bug with more detail:
> > https://bugzilla.redhat.com/show_bug.cgi?id=790157
> > 
> > --
> > -- James Slagle
> > --
> > 
> > _______________________________________________
> > katello-devel mailing list
> > katello-devel redhat com
> > https://www.redhat.com/mailman/listinfo/katello-devel
> 
> -- 
> Later,
> 
>  Lukas Zapletal | E32E400A
>  RHN Satellite Engineering
>  Red Hat Czech s.r.o. Brno
> 
> _______________________________________________
> katello-devel mailing list
> katello-devel redhat com
> https://www.redhat.com/mailman/listinfo/katello-devel
--
-- James Slagle
--


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]