Hi all, Apologies up front for the long email :). I just upgraded from Pulp 2.3 to 2.4 and I'm having an issue with Qpid over SSL. Is anyone using Qpid over SSL (port 5671) successfully in pulp 2.4? I don't see much chatter about it, so I can't find much info. I'm almost out of ideas for troubleshooting, so any tips here are appreciated.
I ran pulp-qpid-ssl-cfg and pointed to the same CA cert and key as I used with Pulp 2.3. So I have the same configuration and certs as I did with 2.3 which worked fine (config listed further below). Anyway, I get the following ssl error when testing with openssl: $ openssl s_client -connect pulp.example.com:5671 verify error:num=19:self signed certificate in certificate chain verify return:0 140594689586856:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1292:SSL alert number 42 140594689586856:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: $ openssl s_client -connect pulp.example.com:5671 -tls1 verify error:num=19:self signed certificate in certificate chain verify return:0 140594689586856:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1292:SSL alert number 42 140594689586856:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: $ openssl s_client -connect pulp.example.com:5671 -tls1_1 # and same result for -tls1_2 CONNECTED(00000003) 139803025839784:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:345: These are the same certificates used for the pulp server on apache 443, which is working fine. I'm using an intermediary certificate as the CA for pulp and qpid. i.e. it's a sub-CA that is signed by our company's own root CA. When pulp-qpid-ssl-cfg asks for the CA cert, I've tried both the sub-CA cert by itself and also a chain that includes the root + sub-CA certs. (The chain is what I'm currently using since the sub-CA cert by itself gives "unable to find local issuer certificate" because the root CA couldn't be found.) ....My versions and configs... Pulp 2.4.3 server on CentOS 6.5 Qpidd version 0.26 # /etc/qpid/qpidd.conf auth=no require-encryption=yes ssl-require-client-authentication=yes ssl-cert-db=/etc/pki/pulp/qpid/nss ssl-cert-password-file=/etc/pki/pulp/qpid/nss/password ssl-cert-name=broker ssl-port=5671 # When connecting with pulp-admin, I get a similar sslv3 certificate error with "certificate verify failed" for gofer. Perhaps this is this a supported protocol issue with Qpid or NSS? I can't see how to specify supported protocols in the qpidd.conf file. I'm wondering if NSS restricts protocols at all? I don't know much about it. Thanks for any help, Jason ________________________________ Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error.
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list