[Pulp-list] Qpid SSL on Pulp 2.4

Ashby, Jason (IMS) AshbyJ at imsweb.com
Wed Oct 29 01:27:04 UTC 2014


I’m no expert here either, but this is how I understand intermediary SSL certificates, so someone correct me if this is misleading!!

Essentially, there is only one root CA for your organization.  In this case, your root CA cert is the one you’ve set up with Microsoft Active Directory Certificate Services.  You use this root CA to sign your intermediary CA.  This intermediary CA will then be used to sign any certs used for pulp.

The benefit of using an intermediary CA is so you don’t have to directly issue certificates with your root CA.  You are keeping your root CA safe and essentially “offline”, and it reduces the risk of it being compromised.  If the root CA is compromised, then all certificates it has issued have become untrustworthy.  So it adds an extra layer of security.

Related: https://support.globalsign.com/customer/portal/articles/1217450-overview---intermediate-certificates

Here are my notes:

cd /etc/pki/
sudo mkdir pulp_certs
cd pulp_certs

# create RSA key for intermediary CA
sudo openssl genrsa -out pulpca.key 2048

# create certificate signing request
# Submit a request (base 64 encoded) via Microsoft AD Certificate Services. Paste csr into box and download base 64 encoded certificate.
# CN=pulp
sudo openssl req -new -key pulpca.key -out pulpca.csr
# copy the resulting certnew.cer to /etc/pki/pulp_certs/pulpca.crt


Create SSL cert for the pulp service which is run via Apache, using our intermediary CA cert to sign it:
sudo openssl genrsa -out pulp.example.com.key 2048
# using pulp.example.com as the CN:
sudo openssl req -new -key pulp.example.com.key -out pulp.example.com.csr

sudo openssl x509 -req -days 3650 -CA pulpca.crt -CAkey pulpca.key -set_serial 01 -in pulp.example.com.csr -out pulp.example.com.crt


Save the root CA chain to the /etc/pki/pulp_certs directory, which you get from MS AD cert services:

- Download a CA certificate, certificate chain, or CRL
- click link for "To trust certificates issued from this certification authority, install this CA certificate."

Then I put the root and intermediary certs into a chain file.  The chain I used for the ssl_ca_certificate setting in /etc/pulp/server.conf, but as Randy suggested, this is not necessary if you set something in Apache…I’d have to look back.

sudo su - # go full root to cat to file
cd /etc/pki/pulp_certs
cat myrootca.crt pulpca.crt > pulpca_chain.crt

I also added them to my ca-bundle.crt and passed that to all my Linux systems so they trust my root CA.  Randy also provided great instructions on why you should use trust anchors instead,which I plan to implement/fix soon.  But for completeness:

openssl x509 -in /etc/pki/pulp_certs/myrootca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt


Stick with Pulp 2.4.  Above were my notes from 2.3, so setting up your SSL certs should be no different with 2.3 vs 2.4.  Not sure what happened with my upgrade, but something got corrupted, so I just built 2.4 fresh.

Cheers,
Jason


From: Gavin Jones [mailto:gavinj84 at gmail.com]
Sent: Tuesday, October 28, 2014 6:24 PM
To: Ashby, Jason (IMS)
Cc: Brian Bouterse; Randy Barlow; pulp-list at redhat.com
Subject: Re: Qpid SSL on Pulp 2.4

Hey Jason,
                 Thanks for the info, I am still a big time newbie on understanding intermediary  SSL etc.

If I am understanding correctly, On the pulp host I would have to create my own root ca with instructions like this: https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/
sign the Pulp Root CA with my internal MS root CA cert ? Or would I just concatenate both the MS Internal Root CA and the Pulp Linux root CA into a chain as you have specified above?

Sorry I am big time newbie at this, or would it be easier to just downgrade to a safer version of PULP?

Thanks for your time.

On Wed, Oct 29, 2014 at 12:04 AM, Ashby, Jason (IMS) <AshbyJ at imsweb.com<mailto:AshbyJ at imsweb.com>> wrote:
I'm all squared away now with my certs.  I CC'ed Gavin since he was having similar issues with a similar intermediary setup. Here are some notes that may help others, and one of them seems like a bug in verify_cert, or at least a bug with my setup.


I had to create a chain cert for ssl_ca_certificate:

# /etc/pulp/server.conf
[security]
cacert: /etc/pki/pulp_certs/pulpca.crt
cakey: /etc/pki/pulp_certs/pulpca.key
ssl_ca_certificate: /etc/pki/pulp_certs/pulpca_chain.crt

The chain cert was created by concatenating my company's root CA and the intermediary CA (the pulp CA which was signed by the root CA):

cat rootca.cer pulpca.crt > pulpca_chain.crt

You can get your Microsoft-based root CA (rootca.cer above) from the certsrv application:

- Download a CA certificate, certificate chain, or CRL
- click link for "To trust certificates issued from this certification authority, install this CA certificate."


Add your root and intermediary CA's to system CA bundle (copy ca-bundle.crt out to all consumers too):

openssl x509 -in /etc/pki/pulp_certs/rootca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt
openssl x509 -in /etc/pki/pulp_certs/pulpca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt


In addition, I found that certificates could not be verified against the intermediary CA alone.  I had to make the following change to verify_cert in order to get M2Crypto to use the chain (specified in server.conf ssl_ca_certificate):


# /usr/lib/python2.6/site-packages/pulp/server/managers/auth/cert/cert_generator.py
    def verify_cert(self, cert_pem):
        '''
        Ensures the given certificate can be verified against the server's CA.

        @param cert_pem: PEM encoded certificate to be verified
        @type  cert_pem: string

        @return: True if the certificate is successfully verified against the CA; False otherwise
        @rtype:  boolean
        '''

        # M2Crypto doesn't support verifying a cert against a CA, so call out to openssl
        # ca_cert = config.config.get('security', 'cacert')
        # FIX - Use CA chain in order to support the use of an intermediary CA aka sub-CA
        ca_cert = config.config.get('security', 'ssl_ca_certificate')

        cmd = 'openssl verify -CAfile %s' % ca_cert
        p = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)



Hope that helps. I'll try to file a bug with more info later.  Right now I've got some catching up to do :).

-----Original Message-----
From: pulp-list-bounces at redhat.com<mailto:pulp-list-bounces at redhat.com> [mailto:pulp-list-bounces at redhat.com<mailto:pulp-list-bounces at redhat.com>] On Behalf Of Brian Bouterse
Sent: Friday, October 24, 2014 3:22 PM
To: Randy Barlow
Cc: pulp-list at redhat.com<mailto:pulp-list at redhat.com>
Subject: Re: [Pulp-list] Qpid SSL on Pulp 2.4

By using the pulp-qpid-ssl-cfg and using your own CA and key, it then used the CA to create a certificate for the broker and the client, and it also adds them to an NSS database.

Interestingly, your server.conf doesn't specify the same CA you told pulp-qpid-ssl-cfg to use. I expected cacert to be /etc/pki/pulp_certs/pulpca.crt for both the [messaging] and [tasks] section. Any changes to that file requires a restart of all the services. What does that do?

As another thing to try, could you try having the script generate its own CA and use the recommended settings it provides. You could give it a different root folder so you could have the certs side-by-side in the filesystem. This would let us troubleshoot from a known working state with SSL working just not with a cert you provide. Just a thought about how we can eliminate all other concerns besides a cert that you are providing.

-Brian


----- Original Message -----
> From: "Randy Barlow" <rbarlow at redhat.com<mailto:rbarlow at redhat.com>>
> To: "Jeff Ortel" <jortel at redhat.com<mailto:jortel at redhat.com>>, pulp-list at redhat.com<mailto:pulp-list at redhat.com>
> Sent: Friday, October 24, 2014 2:55:00 PM
> Subject: Re: [Pulp-list] Qpid SSL on Pulp 2.4
>
> On 10/24/2014 02:40 PM, Ashby, Jason (IMS) wrote:
> > Those certs are the ones generated by /usr/bin/pulp-qpid-ssl-cfg.  I
> > accepted the defaults for that script, except for the CA cert and key
> > which I supplied with:
> >
> > Please specify a CA.  Generated if not specified.
> >   Enter a path: /etc/pki/pulp_certs/pulpca.crt
> >
> > Please specify the CA key
> >   Enter a path: /etc/pki/pulp_certs/pulpca.key
> >
> > Does that answer your questions?
>
> I'm not familiar with pulp-qpid-ssl-cfg myself. Jeff, do you know if
> this is correct?
>
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com<mailto:Pulp-list at redhat.com>
> https://www.redhat.com/mailman/listinfo/pulp-list

_______________________________________________
Pulp-list mailing list
Pulp-list at redhat.com<mailto:Pulp-list at redhat.com>
https://www.redhat.com/mailman/listinfo/pulp-list

________________________________

Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error.


________________________________

Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141029/14f19e9a/attachment.htm>


More information about the Pulp-list mailing list