On 07/26/11 17:46, Erik Trauschke wrote:
On Tue, 2011-07-26 at 16:55 -0700, Amol Chiplunkar wrote:
On 07/25/11 10:31, Erik Trauschke wrote:
On Sat, 2011-07-23 at 11:16 -0700, Amol Chiplunkar wrote:
--8<--
Can that verification happen even through the remote proxy ?
I presume yes, and the cert has to be configured at the actual IPS repository
level.
Is that right ?
No, if you run the depot behind apache you'd have to do the SSL
verification in apache. Apache then proxies request to the depot in
http.
Right.
How do I get the pkg to use the Apache cert ?
Here is what I tried:
openssl s_client -connect <myhost>:<myport>
Copy pasted the cert and made sure it matches the one on the web
server side.
Then copied it to /etc/certs/CA
Created a symlinc pointing to it with hash value
inside /etc/openssl/certs
But it still says
Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework error: code: 60 reason: SSL certificate problem, verify that
the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
URL: 'https://xvm-4150-9:8002/IPS'.
Ok, you have to make sure that you are not mixing up CA certificates
here. You gonna have two CA certificates. One, in /etc/openssl, which
can verify the server's cert (SSLCertificateFile). And another one which
can verify the certificate the client presents to the server
(SSLCACertificateFile).
So I'm not entirely sure what exactly you are doing here. Can you give
me a breakdown on which certificates you are using and where? Also, are
you using a self-signed cert as your apache server cert?
Yes.
It's a self signed cert.
The httpd.conf has
SSLCertificateFile /etc/opt/<webhome>/ssl.crt/server.crt
SSLCACertificateFile /etc/opt/<webhome>/ssl.crt/server.crt
( both same )
On the client side, I have an exact copy of the above file:
/etc/certs/CA/Product_CA.pem
And a symlink in /etc/openssl/certs
1987cbba.0 -> ../../certs/CA/Product_CA.pem
The error also changed a bit after correcting the hashvalue
it now says
Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework error: code: 51 reason: SSL: unable to obtain common name from
peer certificate
Erik
So you'd create a httpd.conf like this:
---
SSLEngine On
# Cert paths
SSLCertificateFile /path/to/apache2/certs/server.crt
SSLCertificateKeyFile /path/to/apache2/certs/server.key
# intermediate CA cert
SSLCertificateChainFile /path/to/apache2/certs/ca_intermediate.pem
# CA certs for client verification (concatenated in one file)
SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem
# CRL (optional)
SSLCARevocationFile /path/to/apache2/certs/crl.pem
<Location /private>
SSLVerifyClient require
SSLVerifyDepth 1
# example: only certs with subject [email protected] are allowed
SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ )
ProxyPass http://depot_server:12345 nocanon max=500
</Location>
---
Erik
Thanks
Amol
Brock
However, I would now expect
pkg set-publisher -G '*' -g https://Host:<secure http port> solaris
to work !
But it errors out saying
Framework error: code: 35 reason: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol
Wondering if it's the right set of commands ?
Is the approved-ca-cert meant to work with a reverse proxy in the first place ??
Because looking at the doc, it seems the cert has to be configured with the
actual IPS repo.
please suggest
thx
- Amol
Erik
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56): proxy: HTTP:
canonicalising URL //oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506): [client ] proxy:
http: found worker http://oc-4200m2-42:11000/IPS for
http://oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993): Running scheme http
handler (attempt 0)
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1966): proxy: HTTP:
serving URL http://oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011): proxy: HTTP: has
acquired connection for (oc-4200m2-42)
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067): proxy: connecting
http://oc-4200m2-42:11000/IPSversions/0/ to oc-4200m2-42:11000
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193): proxy: connected
/IPSversions/0/ to oc-4200m2-42:11000
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444): proxy: HTTP: fam
2 socket created to connect to oc-4200m2-42
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576): proxy: HTTP:
connection complete to X.X.X.X:11000 (oc-4200m2-42)
[Mon Jul 18 17:24:01 2011] [error] an unknown filter was not added: DEFLATE
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1736): proxy: start
body send
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1840): proxy: end
body send
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029): proxy: HTTP: has
released connection for (oc-4200m2-42)
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
