Disable client certificate checking for repos

Is it possible to disable client certificate checking for repos and allow any client to access the pulp content repos without requiring the clients to provide a cert?

Basically I would like the repos to work like http but the traffic to be over ssl, but no need to client authorization.

Are there some flags to set?

I tried changing the apache configs for pulp from SSLVerifyClient required/optional to all be none.

But still I am seeing “Authentication failed; no client certificate provided in request.” when I try to go to the pulp https urls without a client cert.

Is there something that also needs to be disabled in pulp itself?

If I remember correctly this is only a planned feature to move from HTTP and/or HTTPS with Client Verification to HTTPS with and without Client Verification for accessing the repositories.

Depending on what is problem perhaps the “Simple content access” would be the feature you have to look for which disables the need for correct subscriptions and aims to reduce complexity, but I have not found Katello documentation for it (@mcorr do you know the correct place to link to?) only some for the Satellite: Simple Content Access - Red Hat Customer Portal

Other options would only be to use subscription-manager everywhere or use HTTP.

Simple Access just disables the keeping track of subscription allocations. It does not make the content any more accessible, just allows unlimited subscription-manager registrations with katello.

The fact that katello uses https vs http to differentiate protected repos (via subscription-manager and client SSL certificates) and unprotected(no cert required) is driving our security people nuts.

All the kickstart repos in katello are used unencrpyted non-http because they have not been subscribed yet so can’t access the https repos.

The only way I can move everything to https, is to totally disable all client certificate checking on the https repos and then since I am using commercial certs, kickstart CAN use https during kickstart, but Katello provides zero way to do that.

Katello/Foreman really needs to stop using https/http do determine which is protected vs unprotected repos, and use URL or something instead, so then https could be turned on for the unprotected repos as well without client cert checking.