[Pulp-list] Issues with ssl client verification using chain ca pem

David Gao dgao at redhat.com
Wed Aug 13 14:24:37 UTC 2014 

FYI, here's the bz for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1129719

----- Original Message -----
> From: "David Gao" <dgao at redhat.com>
> To: pulp-list at redhat.com
> Sent: Monday, August 11, 2014 8:22:12 PM
> Subject: [Pulp-list] Issues with ssl client verification using chain ca pem
> 
> Hi,
> 
> I'm running into an issue with latest pulp rest binding unable to verify
> certificate if the CA cert is a chain cert. It looks like the new pulp is
> using code from m2crypto library that does not support this feature.
> Attached are 2 small scripts that will recreate this scenario.
> 
> Note: test_m2crypto.py have pieces of code yanked from pulp
> bindings/server.py
> Note2: The scripts assume pulp is installed locally.
> 
> Here are the steps:
> 
> 1) ./create_rhui_ssl_certs.sh - This would output a bunch of certs, the
> important ones are copied to ./certs dir.
> 2) Edit line 8 of test_m2crypto.py to point to
> $HOME/certs/server-ca-chain.pem
> 3) Edit /etc/httpd/conf.d/ssl.conf with following key-value pair:
>    3.1) SSLCertificateFile $HOME/certs/test-cert.pem
>    3.2) SSLCertificateKeyFile $HOME/certs/test-key.pem
> 4) Restart httpd
> 5) python test_m2crypto.py
> 6) openssl verify -verbose -CAfile $HOME/certs/server-ca-chain.pem
> $HOME/certs/test-cert.pem
> 
> 
> Output should look like:
> 
> [root at rhua ~]# python test_m2crypto.py
> certificate verify failed
> [root at rhua ~]# openssl verify -verbose -CAfile
> /root/certs/server-ca-chain.pem /root/certs/test-cert.pem
> /root/certs/test-cert.pem: OK
> 
> 
> The version of pulp I'm using is:
> 
> [root at rhua ~]# rpm -qa | grep "pulp"
> python-isodate-0.5.0-1.pulp.el6.noarch
> python-pulp-rpm-common-2.4.0-0.30.beta.el6.noarch
> createrepo-0.9.9-21.2.pulp.el6.noarch
> pulp-admin-client-2.4.0-0.30.beta.el6.noarch
> python-kombu-3.0.15-12.pulp.el6.noarch
> pulp-puppet-plugins-2.4.0-0.30.beta.el6.noarch
> pulp-selinux-2.4.0-0.30.beta.el6.noarch
> pulp-rpm-admin-extensions-2.4.0-0.30.beta.el6.noarch
> m2crypto-0.21.1.pulp-8.el6.x86_64
> python-pulp-common-2.4.0-0.30.beta.el6.noarch
> python-pulp-puppet-common-2.4.0-0.30.beta.el6.noarch
> python-pulp-bindings-2.4.0-0.30.beta.el6.noarch
> python-pulp-client-lib-2.4.0-0.30.beta.el6.noarch
> mod_wsgi-3.4-1.pulp.el6.x86_64
> pulp-server-2.4.0-0.30.beta.el6.noarch
> pulp-rpm-plugins-2.4.0-0.30.beta.el6.noarch
> pulp-puppet-admin-extensions-2.4.0-0.30.beta.el6.noarch
> pulp-v2-cds-server-1.0.1-1.git.3.9a1a04f.el6.noarch
> 
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list

More information about the Pulp-list mailing list