[Pulp-list] Qpid SSL on Pulp 2.4

Brian Bouterse bbouters at redhat.com
Fri Oct 24 14:26:39 UTC 2014 

Hi Jason,

I've successfully used Qpid over SSL with Pulp 2.4 with port 5671. I see that you've configured the Qpid side of the SSL connection, but is server.conf for pulp configured? Refer to the docs [0] for how to configure the Pulp side of this.

The login portions of Pulp are unrelated to the tasking system. Using pulp-admin to login is not related to the tasking or consumer communications through Qpid.

Do the Pulp services start properly? I see you are testing with SSL, but I'm not seeing what Pulp commands you are running and what errors they produce.

[0]: http://pulp-user-guide.readthedocs.org/en/latest/broker-settings.html#qpid-with-ssl

-Brian



----- Original Message -----
> From: "Jason Ashby (IMS)" <AshbyJ at imsweb.com>
> To: pulp-list at redhat.com
> Sent: Friday, October 24, 2014 9:55:00 AM
> Subject: [Pulp-list] Qpid SSL on Pulp 2.4
> 
> 
> 
> Hi all,
> 
> 
> 
> Apologies up front for the long email :). I just upgraded from Pulp 2.3 to
> 2.4 and I’m having an issue with Qpid over SSL. Is anyone using Qpid over
> SSL (port 5671) successfully in pulp 2.4? I don’t see much chatter about it,
> so I can’t find much info. I’m almost out of ideas for troubleshooting, so
> any tips here are appreciated.
> 
> 
> 
> I ran pulp-qpid-ssl-cfg and pointed to the same CA cert and key as I used
> with Pulp 2.3. So I have the same configuration and certs as I did with 2.3
> which worked fine (config listed further below). Anyway, I get the following
> ssl error when testing with openssl:
> 
> 
> 
> 
> 
> $ openssl s_client -connect pulp.example.com:5671
> 
> 
> 
> verify error:num=19:self signed certificate in certificate chain
> 
> verify return:0
> 
> 140594689586856:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1292:SSL alert number 42
> 
> 140594689586856:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:184:
> 
> 
> 
> $ openssl s_client -connect pulp.example.com:5671 -tls1
> 
> 
> 
> verify error:num=19:self signed certificate in certificate chain
> 
> verify return:0
> 
> 140594689586856:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1292:SSL alert number 42
> 
> 140594689586856:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:184:
> 
> 
> 
> $ openssl s_client -connect pulp.example.com:5671 -tls1_1 # and same result
> for -tls1_2
> 
> 
> 
> CONNECTED(00000003)
> 
> 139803025839784:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:345:
> 
> 
> 
> 
> 
> These are the same certificates used for the pulp server on apache 443, which
> is working fine. I’m using an intermediary certificate as the CA for pulp
> and qpid. i.e. it’s a sub-CA that is signed by our company’s own root CA.
> When pulp-qpid-ssl-cfg asks for the CA cert, I’ve tried both the sub-CA cert
> by itself and also a chain that includes the root + sub-CA certs. (The chain
> is what I’m currently using since the sub-CA cert by itself gives “unable to
> find local issuer certificate” because the root CA couldn’t be found.)
> 
> 
> 
> ….My versions and configs…
> 
> 
> 
> Pulp 2.4.3 server on CentOS 6.5
> 
> Qpidd version 0.26
> 
> 
> 
> # /etc/qpid/qpidd.conf
> 
> auth=no
> 
> require-encryption=yes
> 
> ssl-require-client-authentication=yes
> 
> ssl-cert-db=/etc/pki/pulp/qpid/nss
> 
> ssl-cert-password-file=/etc/pki/pulp/qpid/nss/password
> 
> ssl-cert-name=broker
> 
> ssl-port=5671
> 
> #
> 
> 
> 
> When connecting with pulp-admin, I get a similar sslv3 certificate error with
> “certificate verify failed” for gofer.
> 
> 
> 
> Perhaps this is this a supported protocol issue with Qpid or NSS? I can’t see
> how to specify supported protocols in the qpidd.conf file. I’m wondering if
> NSS restricts protocols at all? I don’t know much about it.
> 
> 
> 
> Thanks for any help,
> 
> Jason
> 
> 
> 
> 
> 
> Information in this e-mail may be confidential. It is intended only for the
> addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
> 
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list

More information about the Pulp-list mailing list