[Pulp-list] My Failed PULP setup aka SSL Errors

Gavin Jones gavinj84 at gmail.com
Mon Oct 27 01:09:17 UTC 2014 

Hi All,
Very new to Pulp.  I am using 2.4.3-1 on Redhat Linux 7.
I am trying to make a sync to a RHEL7 Repo.

Below I create the REPO.

# Creating the RHEL7 Repo

pulp-admin -uadmin -padmin rpm repo create --repo-id rhel-7-server \
--feed
https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os \
--feed-ca-cert=/etc/rhsm/ca/redhat-uep.pem \
--feed-key=/etc/pki/entitlement/66666666-key.pem \
--feed-cert=/etc/pki/entitlement/66666666.pem \
--display-name "rhel-7-server" --description "RHEL 7 YUM Files"
Now I try to get the sync happening and I get this error:
[root at pulp01 pulp]# pulp-admin rpm repo sync run --repo-id=rhel-7-server
+----------------------------------------------------------------------+
                Synchronizing Repository [rhel-7-server]
+----------------------------------------------------------------------+

An error occurred attempting to contact the server. More information can be
found in the client log file ~/.pulp/admin.log.

I check the logs:

cat /root/.pulp/admin.log

2014-10-27 11:44:30,609 - ERROR - Client-side exception occurred
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/pulp/client/extensions/core.py",
line 478, in run
    exit_code = Cli.run(self, args)
  File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run
    exit_code = command_or_section.execute(self.prompt, remaining_args)
  File
"/usr/lib/python2.7/site-packages/pulp/client/extensions/extensions.py",
line 224, in execute
    return self.method(*arg_list, **clean_kwargs)
  File
"/usr/lib/python2.7/site-packages/pulp/client/commands/repo/sync_publish.py",
line 124, in run
    existing_sync_tasks = _get_repo_tasks(self.context, repo_id, 'sync')
  File
"/usr/lib/python2.7/site-packages/pulp/client/commands/repo/sync_publish.py",
line 312, in _get_repo_tasks
    return context.server.tasks_search.search(**repo_search_criteria)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/tasks.py", line 138,
in search
    tasks = super(TaskSearchAPI, self).search(**kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/search.py", line
106, in search
    response = self.server.POST(self.PATH, {'criteria':kwargs})
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 99,
in POST
    return self._request('POST', path, body=body,
ensure_encoding=ensure_encoding)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line
143, in _request
    response_code, response_body = self.server_wrapper.request(method, url,
body)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line
333, in request
    raise exceptions.ConnectionException(None, str(err), None)
ConnectionException: (None, 'tlsv1 alert unknown ca', None)

Looks like there is an SSL Cert error: as explained at
https://pulp-rpm-user-guide.readthedocs.org/en/pulp-2.0/troubleshooting.html

tail -f /var/log/httpd/ssl_error_log

AH02039: Certificate Verification: Error (20): unable to get local issuer
certificate

So my confusment with the certificates are. We use a Microsoft ROOT CA
Internally. Below is how  I would configure SSL in Apache.

vim /etc/httpd.conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/pulp01.cer        = Signed by the
Internal Root CA.
SSLCertificateKeyFile /etc/pki/tls/private/pulp01.key

SSLCACertificateFile /etc/pki/tls/certs/ca.cer  = The Root CA Cert
converted to a PEM (Usually never use this but testing it)

This works fine for Internal SSL Apache websites.


- For PULP

I have copied these certs to /etc/pki/pulp given the certs 640 permissons
and changes the ownership to root.apache.

In my :

vim /etc/pulp/server.conf

[security]
cacert: /etc/pki/pulp01.cer
cakey: /etc/pki/pulp/pulp01.key
ssl_ca_certificate: /etc/pki/pulp/ca.cer


vim /etc/pulp/admin/admin.conf

verify_ssl = True

ca_path = /etc/pki/pulp/server.pem

id_cert_dir = ~/.pulp
id_cert_filename = user-cert.pem


Can someone please school me in SSL or show me where I have messed up with
the PULP SSL Setup?


Thanks for your time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141027/afb7286c/attachment.htm>

More information about the Pulp-list mailing list