[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pulp-list] Pulp + FreeIPA = ?



So just for test purposes I extracted CA key from FreeIPA and installed it to pulp server. This is what I have in /etc/pulp/server.conf:
[security]
cacert: /etc/pki/tls/certs/ca.crt  # Deprecated! See above description for details.
cakey: /etc/pki/pulp/ca.key  # Deprecated! See above description for details.

I looked into pulp sources and found how it generates client certificates:
        cmd = 'openssl x509 -req -sha1 -CA %s -CAkey %s -set_serial %s -days %d' % \
              (ca_cert, ca_key, serial, expiration)
        p = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
                             stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
        output = p.communicate(input=req.as_pem())[0]

So I decided to test that command manually to see if it works with exported CA key and cert:
[root nms ~]# sudo -u apache openssl x509 -req -sha1 -CA /etc/pki/tls/certs/ca.crt -CAkey /etc/pki/pulp/ca.key -set_serial 36 -days 10 < csr
Signature ok
subject=/C=US/ST=Utah/L=Lindon/O=DigiCert Inc./OU=DigiCert/CN=example.digicert.com
Getting CA Private Key
-----BEGIN CERTIFICATE-----
MIIDHTCCAgUCASQwDQYJKoZIhvcNAQEFBQAwMjEQMA4GA1UEChMHR1NLLkxPQzEe
MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDQxNTIwMjIwMFoX
DTE2MDQyNTIwMjIwMFowdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzAN
BgNVBAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwI
RGlnaUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKa
mCmowp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOk
Zc+c1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcfl
gpiIWDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUC
ZkTZwIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjp
tYPRBPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABMA0G
CSqGSIb3DQEBBQUAA4IBAQDA3jQfQKmdKU9C+ltGmQmIGq0AL50+xllWvkcR6IpK
zSSUcLz9CBBJkSOMBQoCDgr8VVB6L4V1h+2YfCGOlkuee5hTpXs11CDrcAYAM6oT
nhkIlFPuNw04q44cievpryGV+ZU5etIQXuLYNajNbb1v5s4z6buaviaxd0gcT8OU
/ta00GAUv8TTj+6Q/gZ7CvUO0rDJE5z6PSJ+yCkjX8ZlVyX9UFy4q6K3f+AIVW7l
svTf3TwNKcSbn2DpfyKKnTvcxDeDRVK+SmZcXxcwNmXV1UclrtjnxBqzkPcchFHT
7X0EK5+5YoPSP0JMm7oCaO1JANyk4DStioaDpc5EpwnC
-----END CERTIFICATE-----
unable to write 'random state'

The last error happens (probably) because apache user's home directory is not writable, but it's clear that apache user can access CA cert and key and use them together. But this is what I get when I try to log into pulp server:
[root nms ~]# pulp-admin -v login -u admin
Enter password: 
2016-04-16 01:23:49,780 - ERROR - Exception occurred:
        href:      /pulp/api/v2/actions/login/
        method:    POST
        status:    500
        error:     error signing cert request: Signature ok
subject=/CN=admin:admin:5571b5b4cfbac030922d8c3d
Getting CA Private Key
unable to load CA Private Key
140076687837088:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
unable to write 'random state'

        traceback: [u'  File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 112, in get_response\n    response = wrapped_callback(request, *callback_args, **callback_kwargs)\n', u'  File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 69, in view\n    return self.dispatch(request, *args, **kwargs)\n', u'  File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 87, in dispatch\n    return handler(request, *args, **kwargs)\n', u'  File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 241, in _auth_decorator\n    return _verify_auth(self, operation, super_user_only, method, *args, **kwargs)\n', u'  File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 195, in _verify_auth\n    value = method(self, *args, **kwargs)\n', u'  File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/root_actions.py", line 25, in post\n    key, certificate = factory.cert_generation_manager().make_admin_user_cert(user)\n', u'  File "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py", line 31, in make_admin_user_cert\n    return self.make_cert(self.encode_admin_user(user), expiration)\n', u'  File "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py", line 85, in make_cert\n    raise Exception("error signing cert request: %s" % output)\n']
        data:      {}
        
An internal error occurred on the Pulp server:

RequestException: POST request
on /pulp/api/v2/actions/login/ failed with 500 - error signing cert request:
Signature ok
subject=/CN=admin:admin:5571b5b4cfbac030922d8c3d
Getting CA Private
Key
unable to load CA Private Key
140076687837088:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE
KEY
unable to write 'random state'

I have PAM authentication enabled to give an access to IPA users and user 'admin' is configured as pulp admin. But for some reasons pulp is not able to generate a certificate. I've tried to restart all pulp processes and httpd multiple times already. Tried to disable SELinux (and enabled it back since it didn't change anything). Do you have any idea why this error could occur?

Thanks!

2016-04-15 22:29 GMT+03:00 Konstantin M. Khankin <khankin konstantin gmail com>:
Hi!

I'm trying to use FreeIPA PKI for pulp. I successfully installed all certificates/keys on consumers and set up httpd to use correct certificates/keys, but faced a problem - pulp wants to have CA superpowers to sign client certificates, even though config file and documentation both says that this function is deprecated

Can I somehow disable certificate signing attempts in pulp so that it is able to use existing PKI?

Thanks!

--
Konstantin Khankin



--
Konstantin Khankin

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]