Pulp certificates for server.conf

Development
#1

Hi there,

This morning I got a bit stuck. A dynflow task created after
'subscription-manager register' failed when it got to
Actions::Pulp::Consumer::Create. It couldn't do it because it was
conflicting with another record.

So I decided to use pulp-admin to list all consumers [1]. To my
surprise, 'pulp-admin login' didn't work with the default_username
and default_password given in /etc/pulp/server.conf

The error was the one described here:
http://projects.theforeman.org/issues/12368
https://access.redhat.com/discussions/2148561
https://access.redhat.com/solutions/1295653

Apparently the pulp CA cert and private key didn't match. I decided to
check them and in fact they didn't match.

I made an script (it just gets the moduli for the certs) - and yeah, the
Pulp private key (/etc/pulp/ca.key) appears to have been signed through
a different CA than the rest.

I changed ['security'] cakey in /etc/pulp/server.conf to
/etc/pki/katello/private/katello-default-ca.key, as that one matched
/etc/pki/ca.crt

pulp-admin login succeeds at this point! At this point I decide to
remove the consumer, and put back /etc/pki/ca.key in /etc/pulp/server.conf

I resume the task, and it 500s. Guess what was the 500 about? Mismatch
between CA private key and cert. I resume it again. 409 conflict. So
that's how I got in the situation, it created the consumer but it also
500s, and the task cannot continue because there's a consumer there
already.

At that point I put back /etc/pki/katello/private/katello-default-ca.key
in /etc/pulp/server.conf, remove the consumer, and resume the task. No
500, consumer was created fine, and my server was registered.

Two questions for all Pulp experts reading:

Does this script give you one, or two md5 signatures when ran on a
Katello host?

How is /etc/pki/pulp/ca.key created? Shouldn't we use
/etc/pki/katello/private/katello-default-ca.key? I recreated all my certs
with --certs-update-all, tried this whole thing once again, and yeah the
certs didn't match!

Thanks for reading, if you got this far :slight_smile:

··· -- Daniel Lobato Garcia

@dLobatog
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato

#2

> Hi there,
>
> This morning I got a bit stuck. A dynflow task created after
> 'subscription-manager register' failed when it got to
> Actions::Pulp::Consumer::Create. It couldn't do it because it was
> conflicting with another record.
>
> So I decided to use pulp-admin to list all consumers [1]. To my
> surprise, 'pulp-admin login' didn't work with the default_username
> and default_password given in /etc/pulp/server.conf
>

We don't support the use of 'pulp-admin login' because we don't configure
the ca cert and ca key settings for Pulp. They have been marked as
deprecated and require further certificate coupling. Username and password
can be used when pulp-admin calls need to be used (which should only be for
debugging and is generally out of band).

··· On Thu, Feb 25, 2016 at 7:02 AM, Daniel Lobato Garcia wrote:

The error was the one described here:
Support #12368: pulp-admin login on capsule causes error 500 - Katello - Foreman
https://access.redhat.com/discussions/2148561
https://access.redhat.com/solutions/1295653

Apparently the pulp CA cert and private key didn’t match. I decided to
check them and in fact they didn’t match.

I made an script (it just gets the moduli for the certs) - and yeah, the
Pulp private key (/etc/pulp/ca.key) appears to have been signed through
a different CA than the rest.
https://gist.github.com/dLobatog/6e6c53bca6343ae8fc37

I changed [‘security’] cakey in /etc/pulp/server.conf to
/etc/pki/katello/private/katello-default-ca.key, as that one matched
/etc/pki/ca.crt

pulp-admin login succeeds at this point! At this point I decide to
remove the consumer, and put back /etc/pki/ca.key in /etc/pulp/server.conf

I resume the task, and it 500s. Guess what was the 500 about? Mismatch
between CA private key and cert. I resume it again. 409 conflict. So
that’s how I got in the situation, it created the consumer but it also
500s, and the task cannot continue because there’s a consumer there
already.

At that point I put back /etc/pki/katello/private/katello-default-ca.key
in /etc/pulp/server.conf, remove the consumer, and resume the task. No
500, consumer was created fine, and my server was registered.

Two questions for all Pulp experts reading:

Does this script give you one, or two md5 signatures when ran on a
Katello host?
https://gist.github.com/dLobatog/6e6c53bca6343ae8fc37

How is /etc/pki/pulp/ca.key created? Shouldn’t we use
/etc/pki/katello/private/katello-default-ca.key? I recreated all my certs
with --certs-update-all, tried this whole thing once again, and yeah the
certs didn’t match!

Thanks for reading, if you got this far :slight_smile:


Daniel Lobato Garcia

@dLobatog
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato


You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Eric D. Helms
Red Hat Engineering
Ph.D. Student - North Carolina State University

#3

>
> > Hi there,
> >
> > This morning I got a bit stuck. A dynflow task created after
> > 'subscription-manager register' failed when it got to
> > Actions::Pulp::Consumer::Create. It couldn't do it because it was
> > conflicting with another record.
> >
> > So I decided to use pulp-admin to list all consumers [1]. To my
> > surprise, 'pulp-admin login' didn't work with the default_username
> > and default_password given in /etc/pulp/server.conf
> >
>
> We don't support the use of 'pulp-admin login' because we don't configure
> the ca cert and ca key settings for Pulp. They have been marked as
> deprecated and require further certificate coupling. Username and password
> can be used when pulp-admin calls need to be used (which should only be for
> debugging and is generally out of band).

Sorry I wasn't clear here - I used 'pulp-admin --username --password
consumer list' first - no dice. Also Runcible returned a 500 when trying
to create a Pulp consumer.

After the key was changed as explained below - because that ca.key is
wrong - runcible worked again (and so did pulp-admin).

I'm fine with not configuring them in Katello too, but until they're
removed, I think we should modify the server.conf to either not use
them, or use the right key/cert.

··· On 02/25, Eric D Helms wrote: > On Thu, Feb 25, 2016 at 7:02 AM, Daniel Lobato Garcia > wrote:

The error was the one described here:
Support #12368: pulp-admin login on capsule causes error 500 - Katello - Foreman
https://access.redhat.com/discussions/2148561
https://access.redhat.com/solutions/1295653

Apparently the pulp CA cert and private key didn’t match. I decided to
check them and in fact they didn’t match.

I made an script (it just gets the moduli for the certs) - and yeah, the
Pulp private key (/etc/pulp/ca.key) appears to have been signed through
a different CA than the rest.
https://gist.github.com/dLobatog/6e6c53bca6343ae8fc37

I changed [‘security’] cakey in /etc/pulp/server.conf to
/etc/pki/katello/private/katello-default-ca.key, as that one matched
/etc/pki/ca.crt

pulp-admin login succeeds at this point! At this point I decide to
remove the consumer, and put back /etc/pki/ca.key in /etc/pulp/server.conf

I resume the task, and it 500s. Guess what was the 500 about? Mismatch
between CA private key and cert. I resume it again. 409 conflict. So
that’s how I got in the situation, it created the consumer but it also
500s, and the task cannot continue because there’s a consumer there
already.

At that point I put back /etc/pki/katello/private/katello-default-ca.key
in /etc/pulp/server.conf, remove the consumer, and resume the task. No
500, consumer was created fine, and my server was registered.

Two questions for all Pulp experts reading:

Does this script give you one, or two md5 signatures when ran on a
Katello host?
https://gist.github.com/dLobatog/6e6c53bca6343ae8fc37

How is /etc/pki/pulp/ca.key created? Shouldn’t we use
/etc/pki/katello/private/katello-default-ca.key? I recreated all my certs
with --certs-update-all, tried this whole thing once again, and yeah the
certs didn’t match!

Thanks for reading, if you got this far :slight_smile:


Daniel Lobato Garcia

@dLobatog
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato


You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Eric D. Helms
Red Hat Engineering
Ph.D. Student - North Carolina State University


You received this message because you are subscribed to the Google Groups “foreman-dev” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Daniel Lobato Garcia

@dLobatog
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato