Mod_wsgi: Client denied by server configuration

Jacob_Wyatt · June 16, 2014, 4:51pm

After setting up a new Katello installation everything seems to be
configured correctly but when a registered client tries to access a
repository it gets denied because of a certificate issue. I've double
checked that /etc/candlepin/certs/candlepin-ca.crt on the Katello server is
identical to /etc/rhsm/ca/candlepin-local.pem on the client. I made sure
there is content view for the environment and the client registration shows
it in that environment. Not sure where to start digging next.

When a yum update is command is issued on the client:
[root@gancvm22 ~]# yum update
Loaded plugins: security
https://gancupdate1.innotrac.com/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml:
[Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403
Forbidden"
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository:
rhel-6-server-rpms. Please verify its path and try again

This is the error message from the Katello server.
==> httpd/ssl_kt_error_log <==
[Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] Request denied to
destination
[/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml]Client
certificate failed extension check for destination:
/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml
[Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] mod_wsgi
(pid=29137): Client denied by server configuration:
'/var/www/pub/https/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml'.

Jacob_Wyatt · June 16, 2014, 7:31pm

I hotwired authentication by editing /srv/pulp/repo_auth.wsgi and having it
always return true. This allows the update process to work but I'm still
working on fixing authentication.

···

On Monday, June 16, 2014 12:51:37 PM UTC-4, Jacob Wyatt wrote: > > After setting up a new Katello installation everything seems to be > configured correctly but when a registered client tries to access a > repository it gets denied because of a certificate issue. I've double > checked that /etc/candlepin/certs/candlepin-ca.crt on the Katello server is > identical to /etc/rhsm/ca/candlepin-local.pem on the client. I made sure > there is content view for the environment and the client registration shows > it in that environment. Not sure where to start digging next. > > When a yum update is command is issued on the client: > [root@gancvm22 ~]# yum update > Loaded plugins: security > > https://gancupdate1.innotrac.com/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml: > [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403 > Forbidden" > Trying other mirror. > Error: Cannot retrieve repository metadata (repomd.xml) for repository: > rhel-6-server-rpms. Please verify its path and try again > > This is the error message from the Katello server. > ==> httpd/ssl_kt_error_log <== > [Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] Request denied > to destination > [/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml]Client > certificate failed extension check for destination: > /pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml > [Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] mod_wsgi > (pid=29137): Client denied by server configuration: > '/var/www/pub/https/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml'. > > >

Karlis_Melderis · February 20, 2017, 3:17pm

Jakob,

I know this is super old post but did you manged to sort it out?
I just installed foreman in lab and ended up in exactly same situation.

Karlis

···

On Monday, 16 June 2014 18:51:37 UTC+2, Jacob Wyatt wrote: > > After setting up a new Katello installation everything seems to be > configured correctly but when a registered client tries to access a > repository it gets denied because of a certificate issue. I've double > checked that /etc/candlepin/certs/candlepin-ca.crt on the Katello server is > identical to /etc/rhsm/ca/candlepin-local.pem on the client. I made sure > there is content view for the environment and the client registration shows > it in that environment. Not sure where to start digging next. > > When a yum update is command is issued on the client: > [root@gancvm22 ~]# yum update > Loaded plugins: security > > https://gancupdate1.innotrac.com/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml: > [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403 > Forbidden" > Trying other mirror. > Error: Cannot retrieve repository metadata (repomd.xml) for repository: > rhel-6-server-rpms. Please verify its path and try again > > This is the error message from the Katello server. > ==> httpd/ssl_kt_error_log <== > [Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] Request denied > to destination > [/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml]Client > certificate failed extension check for destination: > /pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml > [Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] mod_wsgi > (pid=29137): Client denied by server configuration: > '/var/www/pub/https/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml'. > > >