On Tue, 2011-07-26 at 17:53 -0700, Amol Chiplunkar wrote: > On 07/26/11 17:46, Erik Trauschke wrote: > > On Tue, 2011-07-26 at 16:55 -0700, Amol Chiplunkar wrote: > > > > > On 07/25/11 10:31, Erik Trauschke wrote: > > > > > > > On Sat, 2011-07-23 at 11:16 -0700, Amol Chiplunkar wrote: > > > > --8<-- > > > > > > > > > > > > > Can that verification happen even through the remote proxy ? > > > > > I presume yes, and the cert has to be configured at the actual IPS > > > > > repository level. > > > > > Is that right ? > > > > > > > > > > > > > > No, if you run the depot behind apache you'd have to do the SSL > > > > verification in apache. Apache then proxies request to the depot in > > > > http. > > > > > > > > > > > Right. > > > How do I get the pkg to use the Apache cert ? > > > > > > Here is what I tried: > > > openssl s_client -connect <myhost>:<myport> > > > Copy pasted the cert and made sure it matches the one on the web > > > server side. > > > > > > Then copied it to /etc/certs/CA > > > Created a symlinc pointing to it with hash value > > > inside /etc/openssl/certs > > > > > > But it still says > > > Unable to contact valid package repository > > > Encountered the following error(s): > > > Unable to contact any configured publishers. > > > This is likely a network configuration problem. > > > Framework error: code: 60 reason: SSL certificate problem, verify that > > > the CA cert is OK. Details: > > > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > verify failed > > > URL: 'https://xvm-4150-9:8002/IPS'. > > > > > > > Ok, you have to make sure that you are not mixing up CA certificates > > here. You gonna have two CA certificates. One, in /etc/openssl, which > > can verify the server's cert (SSLCertificateFile). And another one which > > can verify the certificate the client presents to the server > > (SSLCACertificateFile). > > > > So I'm not entirely sure what exactly you are doing here. Can you give > > me a breakdown on which certificates you are using and where? Also, are > > you using a self-signed cert as your apache server cert? > > > Yes. > It's a self signed cert. > The httpd.conf has > > SSLCertificateFile /etc/opt/<webhome>/ssl.crt/server.crt > SSLCACertificateFile /etc/opt/<webhome>/ssl.crt/server.crt > > ( both same ) > > On the client side, I have an exact copy of the above file: > /etc/certs/CA/Product_CA.pem > And a symlink in /etc/openssl/certs > 1987cbba.0 -> ../../certs/CA/Product_CA.pem > > The error also changed a bit after correcting the hashvalue > it now says > > Unable to contact valid package repository > Encountered the following error(s): > Unable to contact any configured publishers. > This is likely a network configuration problem. > Framework error: code: 51 reason: SSL: unable to obtain common name > from peer certificate
Well, do your certs have the CNs properly set? Erik > > > > > > Erik > > > > > > > > > > > > > > > > > > > > > > > > > > So you'd create a httpd.conf like this: > > > > --- > > > > SSLEngine On > > > > > > > > # Cert paths > > > > SSLCertificateFile /path/to/apache2/certs/server.crt > > > > SSLCertificateKeyFile /path/to/apache2/certs/server.key > > > > > > > > # intermediate CA cert > > > > SSLCertificateChainFile /path/to/apache2/certs/ca_intermediate.pem > > > > > > > > # CA certs for client verification (concatenated in one file) > > > > SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem > > > > > > > > # CRL (optional) > > > > SSLCARevocationFile /path/to/apache2/certs/crl.pem > > > > > > > > <Location /private> > > > > SSLVerifyClient require > > > > SSLVerifyDepth 1 > > > > # example: only certs with subject [email protected] are allowed > > > > SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ ) > > > > ProxyPass http://depot_server:12345 nocanon max=500 > > > > </Location> > > > > --- > > > > > > > > Erik > > > > > > > > > > > > > > > > > Thanks > > > > > Amol > > > > > > > > > > > > > > > > > > > > > Brock > > > > > > > > > > > > > > > > > > > > > > > > > However, I would now expect > > > > > > > pkg set-publisher -G '*' -g https://Host:<secure http port> > > > > > > > solaris > > > > > > > to work ! > > > > > > > But it errors out saying > > > > > > > Framework error: code: 35 reason: error:140770FC:SSL > > > > > > > routines:SSL23_GET_SERVER_HELLO:unknown protocol > > > > > > > > > > > > > > Wondering if it's the right set of commands ? > > > > > > > Is the approved-ca-cert meant to work with a reverse proxy in the > > > > > > > first place ?? > > > > > > > Because looking at the doc, it seems the cert has to be > > > > > > > configured with the actual IPS repo. > > > > > > > > > > > > > > > > > > > > > please suggest > > > > > > > > > > > > > > thx > > > > > > > - Amol > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Erik > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56): > > > > > > > > > proxy: HTTP: > > > > > > > > > canonicalising URL //oc-4200m2-42:11000/IPSversions/0/ > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506): > > > > > > > > > [client ] proxy: > > > > > > > > > http: found worker http://oc-4200m2-42:11000/IPS for > > > > > > > > > http://oc-4200m2-42:11000/IPSversions/0/ > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993): Running > > > > > > > > > scheme http > > > > > > > > > handler (attempt 0) > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1966): > > > > > > > > > proxy: HTTP: > > > > > > > > > serving URL http://oc-4200m2-42:11000/IPSversions/0/ > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011): proxy: > > > > > > > > > HTTP: has > > > > > > > > > acquired connection for (oc-4200m2-42) > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067): proxy: > > > > > > > > > connecting > > > > > > > > > http://oc-4200m2-42:11000/IPSversions/0/ to oc-4200m2-42:11000 > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193): proxy: > > > > > > > > > connected > > > > > > > > > /IPSversions/0/ to oc-4200m2-42:11000 > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444): proxy: > > > > > > > > > HTTP: fam > > > > > > > > > 2 socket created to connect to oc-4200m2-42 > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576): proxy: > > > > > > > > > HTTP: > > > > > > > > > connection complete to X.X.X.X:11000 (oc-4200m2-42) > > > > > > > > > [Mon Jul 18 17:24:01 2011] [error] an unknown filter was not > > > > > > > > > added: DEFLATE > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1736): > > > > > > > > > proxy: start > > > > > > > > > body send > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1840): > > > > > > > > > proxy: end > > > > > > > > > body send > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029): proxy: > > > > > > > > > HTTP: has > > > > > > > > > released connection for (oc-4200m2-42) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > pkg-discuss mailing list > > > > > > > > > [email protected] > > > > > > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > pkg-discuss mailing list > > > > > > > [email protected] > > > > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > pkg-discuss mailing list > > > > > > [email protected] > > > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > pkg-discuss mailing list > > > > > [email protected] > > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
