[Pulp-list] [katello-devel] Pulp Repo Auth configuration change
Lukas Zapletal
lzap+fed at redhat.com
Tue Feb 21 09:40:31 UTC 2012
Yes since the same Apache that is used for Pulp is used for Katello
proxy and Katello is accessed by RHSM, we have to use Candlepin
certificate which is currently self-signed.
So I guess the change for us is to set this value (ssl_ca_certificate)
to the candlepin crt.
LZ
On Mon, Feb 20, 2012 at 12:18:07PM -0500, James Slagle wrote:
> On Mon, Feb 20, 2012 at 09:57:55AM +0100, Lukas Zapletal wrote:
> > Hey James,
> >
> > in Katello, we do use GLOBAL CA CERT. Are we also affected with this
> > bug? I understand it it only bites when using per-repo certs.
> >
> > We only set cert_location in the repo_auth.conf.
>
> Yes, this still affects you.
>
> The global CA cert in the repo auth configuration just refers to the single CA
> that has signed all the consumer entitlement certs as opposed to having a
> different CA per protected repository. It is not necessarily the same CA that
> has signed the apache SSL certificate. Although, in your particular case, I
> believe it is since Katello uses the same CA multiple places. However, pulp
> has no way of knowing that, which is why we need this additional
> ssl_ca_certificate configuration option.
>
> >
> > LZ
> >
> > On Thu, Feb 16, 2012 at 04:18:47PM -0500, James Slagle wrote:
> > > I just fixed a bug which was sending down the wrong CA certificate to use to
> > > verify the server during a yum operation on a pulp consumer. The fix has not
> > > yet been included in a release, but if you're running from a git checkout,
> > > this could affect your setup.
> > >
> > > The fix makes use of the ssl_ca_certificate configuration option in
> > > /etc/pulp/pulp.conf. This option must be set to the full path of the CA
> > > certificate that signed the server's httpd SSL certificate. If not set, it
> > > will default to /etc/pki/pulp/ssl_ca.crt. The path must be readable by the
> > > apache user.
> > >
> > > If you're using a self signed certificate, then provide the path to that
> > > certificate, it serves as both the server certficiate and a CA certificate.
> > >
> > > If you have repo auth enabled in your pulp setup, be sure to make this
> > > configuration change.
> > >
> > > Here's the bug with more detail:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=790157
> > >
> > > --
> > > -- James Slagle
> > > --
> > >
> > > _______________________________________________
> > > katello-devel mailing list
> > > katello-devel at redhat.com
> > > https://www.redhat.com/mailman/listinfo/katello-devel
> >
> > --
> > Later,
> >
> > Lukas Zapletal | E32E400A
> > RHN Satellite Engineering
> > Red Hat Czech s.r.o. Brno
> >
> > _______________________________________________
> > katello-devel mailing list
> > katello-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/katello-devel
> --
> -- James Slagle
> --
>
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel
--
Later,
Lukas Zapletal | E32E400A
RHN Satellite Engineering
Red Hat Czech s.r.o. Brno
More information about the Pulp-list
mailing list