I'm all squared away now with my certs. I CC'ed Gavin since he was having
similar issues with a similar intermediary setup. Here are some notes that may
help others, and one of them seems like a bug in verify_cert, or at least a bug
with my setup.
I had to create a chain cert for ssl_ca_certificate:
# /etc/pulp/server.conf
[security]
cacert: /etc/pki/pulp_certs/pulpca.crt
cakey: /etc/pki/pulp_certs/pulpca.key
ssl_ca_certificate: /etc/pki/pulp_certs/pulpca_chain.crt
The chain cert was created by concatenating my company's root CA and the
intermediary CA (the pulp CA which was signed by the root CA):
cat rootca.cer pulpca.crt > pulpca_chain.crt
You can get your Microsoft-based root CA (rootca.cer above) from the certsrv
application:
- Download a CA certificate, certificate chain, or CRL
- click link for "To trust certificates issued from this certification
authority, install this CA certificate."
Add your root and intermediary CA's to system CA bundle (copy ca-bundle.crt out
to all consumers too):
openssl x509 -in /etc/pki/pulp_certs/rootca.crt -text >>
/etc/pki/tls/certs/ca-bundle.crt
openssl x509 -in /etc/pki/pulp_certs/pulpca.crt -text >>
/etc/pki/tls/certs/ca-bundle.crt
In addition, I found that certificates could not be verified against the
intermediary CA alone. I had to make the following change to verify_cert in
order to get M2Crypto to use the chain (specified in server.conf
ssl_ca_certificate):
#
/usr/lib/python2.6/site-packages/pulp/server/managers/auth/cert/cert_generator.py
def verify_cert(self, cert_pem):
'''
Ensures the given certificate can be verified against the server's CA.
@param cert_pem: PEM encoded certificate to be verified
@type cert_pem: string
@return: True if the certificate is successfully verified against the
CA; False otherwise
@rtype: boolean
'''
# M2Crypto doesn't support verifying a cert against a CA, so call out
to openssl
# ca_cert = config.config.get('security', 'cacert')
# FIX - Use CA chain in order to support the use of an intermediary CA
aka sub-CA
ca_cert = config.config.get('security', 'ssl_ca_certificate')
cmd = 'openssl verify -CAfile %s' % ca_cert
p = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
Hope that helps. I'll try to file a bug with more info later. Right now I've
got some catching up to do :).
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Brian Bouterse
Sent: Friday, October 24, 2014 3:22 PM
To: Randy Barlow
Cc: [email protected]
Subject: Re: [Pulp-list] Qpid SSL on Pulp 2.4
By using the pulp-qpid-ssl-cfg and using your own CA and key, it then used the
CA to create a certificate for the broker and the client, and it also adds them
to an NSS database.
Interestingly, your server.conf doesn't specify the same CA you told
pulp-qpid-ssl-cfg to use. I expected cacert to be
/etc/pki/pulp_certs/pulpca.crt for both the [messaging] and [tasks] section.
Any changes to that file requires a restart of all the services. What does that
do?
As another thing to try, could you try having the script generate its own CA
and use the recommended settings it provides. You could give it a different
root folder so you could have the certs side-by-side in the filesystem. This
would let us troubleshoot from a known working state with SSL working just not
with a cert you provide. Just a thought about how we can eliminate all other
concerns besides a cert that you are providing.
-Brian
----- Original Message -----
> From: "Randy Barlow" <[email protected]>
> To: "Jeff Ortel" <[email protected]>, [email protected]
> Sent: Friday, October 24, 2014 2:55:00 PM
> Subject: Re: [Pulp-list] Qpid SSL on Pulp 2.4
>
> On 10/24/2014 02:40 PM, Ashby, Jason (IMS) wrote:
> > Those certs are the ones generated by /usr/bin/pulp-qpid-ssl-cfg. I
> > accepted the defaults for that script, except for the CA cert and key
> > which I supplied with:
> >
> > Please specify a CA. Generated if not specified.
> > Enter a path: /etc/pki/pulp_certs/pulpca.crt
> >
> > Please specify the CA key
> > Enter a path: /etc/pki/pulp_certs/pulpca.key
> >
> > Does that answer your questions?
>
> I'm not familiar with pulp-qpid-ssl-cfg myself. Jeff, do you know if
> this is correct?
>
>
> _______________________________________________
> Pulp-list mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/pulp-list
_______________________________________________
Pulp-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pulp-list
________________________________
Information in this e-mail may be confidential. It is intended only for the
addressee(s) identified above. If you are not the addressee(s), or an employee
or agent of the addressee(s), please note that any dissemination, distribution,
or copying of this communication is strictly prohibited. If you have received
this e-mail in error, please notify the sender of the error.
_______________________________________________
Pulp-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pulp-list
