[Pulp-list] using Pulp 1.1 with sub-CA possible?
Andreas Piesk
a.piesk at gmx.net
Mon Sep 17 10:16:16 UTC 2012
Hello list,
i spent the last day figuring out how a i could use pulp 1.1 with a sub-CA. We can't use a
self-signed CA due to corporate policy reasons.
Pulp with a self-signed CA is piece of cake but i couldn't get client authentication with a sub-CA
working.
some details to my setup:
1.
pulp 1.1 on rhel6 64bit
2.
certificate files used
- root-ca.crt (self-signed)
- pulp-ca.crt (signed by root-ca), pulp-ca.key (not encrypted)
- pulp.crt (signed by root-ca.crt), pulp.key (not encrypted)
3. configuration files (paths ommitted)
/etc/pulp/pulp.conf:
[security]
cacert: pulp-ca.crt
cakey: pulp-ca.key
ssl_ca_certificate: root-ca.crt
/etc/httpd/conf.d/pulp.conf:
SSLCACertificateFile pulp-ca.crt
/etc/httpd/conf.d/ssl.conf:
SSLCertificateFile pulp.crt
SSLCertificateKeyFile pulp.key
SSLCACertificateFile pulp-ca.crt
the problem is the client authentication, basic http authentication works fine.
in the client.log i get:
2012-09-15 18:03:36,458 [ERROR][MainThread] main() @ command.py:228 - error: (None, 'sslv3 alert bad
certificate', None)
in /var/log/httpd/ssl_error_log:
[Sat Sep 15 21:22:17 2012] [error] [client] Certificate Verification: Error (20): unable to get
local issuer certificate
[Sat Sep 15 21:22:17 2012] [error] [client] Re-negotiation handshake failed: Not accepted by client!?
Before spending more an more time on the issue i like to ask if someone know for sure if it's
possible or not with pulp 1.1. any hints are welcome.
i've noticed it's not possible to specify a passphrase to the keys, is it planned to include that in
2.0?
thanks for reading.
regards,
-ap
More information about the Pulp-list
mailing list