I see others have issues with this topic but I don't see any answers that
fit my scenario … hopefully someone can help.
I have setup Katello with a number of repos that I sync from outside our
proxy. Most of the product repos work fine when using http as I have setup
the katello-proxy URL/user/password, with the URL set to http.
Where I am getting stuck is with external repo that require https and ssl
verify.
Is it possible (do I need) to setup a proxy for both http and https ?
Can you turn off sslverify for specific repos to sync through the external
proxy ? I have sslverify disabled in yum.conf but I am not sure if Katello
references this at all ?
To make it slightly more complicated if I cannot disable the sslverify
(which is not the best solution anyway), I need to added additional certs
that will be inserted by our proxy - but am not sure where to add them.
When using a standard reposync on the CLI I can add the additional proxy
certs into /etc/pki/tls/certs/ca-bundle.crt and this seems to work, but
Kattelo still errors even though I do this on the Katello server:
As a work round I can script a simple reposync on the Katello server,
publish it under the Katello http, then setup the Katello repo to sync to
this repo to enable me to use content views etc, but this is a real hack …
Any ideas on how to setup product repos so I can sync with both http and
https, and then either disable sslverify or add the certs that the proxy
inserts would be most welcome.
I added ssl_verify: false
to /etc/pulp/server/plugins.conf.d/yum_importer.json but that did not help.
Both curl and openssl s_client shows that remote repo certificate is ok and
CA is trusted.
Any ideas?
Edgars
trešdiena, 2015. gada 13. maijs 13:55:26 UTC+2, Mark White rakstīja:
···
>
> I see others have issues with this topic but I don't see any answers that
> fit my scenario .. hopefully someone can help.
>
> I have setup Katello with a number of repos that I sync from outside our
> proxy. Most of the product repos work fine when using http as I have setup
> the katello-proxy URL/user/password, with the URL set to http.
>
> Where I am getting stuck is with external repo that require https and ssl
> verify.
>
> Is it possible (do I need) to setup a proxy for both http and https ?
>
> Can you turn off sslverify for specific repos to sync through the external
> proxy ? I have sslverify disabled in yum.conf but I am not sure if Katello
> references this at all ?
>
> To make it slightly more complicated if I cannot disable the sslverify
> (which is not the best solution anyway), I need to added additional certs
> that will be inserted by our proxy - but am not sure where to add them.
> When using a standard reposync on the CLI I can add the additional proxy
> certs into /etc/pki/tls/certs/ca-bundle.crt and this seems to work, but
> Kattelo still errors even though I do this on the Katello server:
>
> [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Should I be adding certs under /etc/pki/pulp/ ?
>
> As a work round I can script a simple reposync on the Katello server,
> publish it under the Katello http, then setup the Katello repo to sync to
> this repo to enable me to use content views etc, but this is a real hack ..
>
> Any ideas on how to setup product repos so I can sync with both http and
> https, and then either disable sslverify or add the certs that the proxy
> inserts would be most welcome.
>
>
>
>
>
Is your proxy running on HTTP or HTTPS? Sounds like that might be the
issue, where your proxy is running at https://<domain> and you are
telling Katello to use 'http://<domain>' ? The underlying Pulp that is
installed is what inevitably handles syncing the repository and thus
communicating through the proxy.
Eric
···
On Fri, May 15, 2015 at 5:07 AM, Edgars M. wrote:
I have somehow similar problem. I am trying to sync external repo with
https and it always fails with:
I added ssl_verify: false
to /etc/pulp/server/plugins.conf.d/yum_importer.json but that did not help.
Both curl and openssl s_client shows that remote repo certificate is ok
and CA is trusted.
Any ideas?
Edgars
trešdiena, 2015. gada 13. maijs 13:55:26 UTC+2, Mark White rakstīja:
I see others have issues with this topic but I don’t see any answers that
fit my scenario … hopefully someone can help.
I have setup Katello with a number of repos that I sync from outside our
proxy. Most of the product repos work fine when using http as I have setup
the katello-proxy URL/user/password, with the URL set to http.
Where I am getting stuck is with external repo that require https and ssl
verify.
Is it possible (do I need) to setup a proxy for both http and https ?
Can you turn off sslverify for specific repos to sync through the
external proxy ? I have sslverify disabled in yum.conf but I am not sure if
Katello references this at all ?
To make it slightly more complicated if I cannot disable the sslverify
(which is not the best solution anyway), I need to added additional certs
that will be inserted by our proxy - but am not sure where to add them.
When using a standard reposync on the CLI I can add the additional proxy
certs into /etc/pki/tls/certs/ca-bundle.crt and this seems to work, but
Kattelo still errors even though I do this on the Katello server:
As a work round I can script a simple reposync on the Katello server,
publish it under the Katello http, then setup the Katello repo to sync to
this repo to enable me to use content views etc, but this is a real hack …
Any ideas on how to setup product repos so I can sync with both http and
https, and then either disable sslverify or add the certs that the proxy
inserts would be most welcome.
