[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pulp-list] using Pulp 1.1 with sub-CA possible?



Hello list,

i spent the last day figuring out how a i could use pulp 1.1 with a sub-CA. We can't use a
self-signed CA due to corporate policy reasons.

Pulp with a self-signed CA is piece of cake but i couldn't get client authentication with a sub-CA
working.

some details to my setup:

1.
pulp 1.1 on rhel6 64bit

2.
certificate files used

- root-ca.crt (self-signed)
- pulp-ca.crt (signed by root-ca), pulp-ca.key (not encrypted)
- pulp.crt (signed by root-ca.crt), pulp.key (not encrypted)

3. configuration files (paths ommitted)

/etc/pulp/pulp.conf:

[security]
cacert:  pulp-ca.crt
cakey:   pulp-ca.key
ssl_ca_certificate: root-ca.crt

/etc/httpd/conf.d/pulp.conf:

SSLCACertificateFile pulp-ca.crt

/etc/httpd/conf.d/ssl.conf:

SSLCertificateFile pulp.crt
SSLCertificateKeyFile pulp.key
SSLCACertificateFile pulp-ca.crt



the problem is the client authentication, basic http authentication works fine.

in the client.log i get:

2012-09-15 18:03:36,458 [ERROR][MainThread] main() @ command.py:228 - error: (None, 'sslv3 alert bad
certificate', None)

in /var/log/httpd/ssl_error_log:

[Sat Sep 15 21:22:17 2012] [error] [client] Certificate Verification: Error (20): unable to get
local issuer certificate
[Sat Sep 15 21:22:17 2012] [error] [client] Re-negotiation handshake failed: Not accepted by client!?


Before spending more an more time on the issue i like to ask if someone know for sure if it's
possible or not with pulp 1.1. any hints are welcome.

i've noticed it's not possible to specify a passphrase to the keys, is it planned to include that in
2.0?


thanks for reading.

regards,
-ap


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]