Hi Jason and Randy, Thanks for your assistance with this issue. Excuse the essay but I wanted to be thorough in explaining the steps I am performing. Jason this is mostly your steps just re-worded to understand and hopefully get it right. This example RHEL7, Apache 2.4, Pulp 2.4 , Hostname: pulp01.rap.local *Steps: * mkdir -pv /etc/pki/pulp_certs cd /etc/pki/pulp_certs
openssl genrsa -out pulpca.key 2048 pulpca.key openssl req -new -key pulpca.key -out pulpca.csr *# On the MS Root CA* http://localrootca/certsrv/ Request a Certificate > advanced certificate request > Paste the pulpca.csr Into the Saved Request Section > Certifcate Template: Web Server Additional Attributes: Left this blank - Base64 > Download Certificate. scp certnew.cer as user admin across to pulp01 cd /home/admin chown -v root.root certnew.cer cp -v /home/admin/certnew.cer /etc/pki/pulp_certs/pulpca.crt *# Create SSL cert for the pulp service which is run via Apache, using our Intermediary CA cert to sign it:* openssl genrsa -out pulp01.rap.local.key 2048 openssl req -new -key pulp01.rap.local.key -out pulp01.rap.local.csr openssl x509 -req -days 3650 -CA pulpca.crt -CAkey pulpca.key -set_serial 01 -in pulp01.rap.local.csr -out pulp01.rap.local.crt *# Grab the ROOT CA Cert:* http://localrootca/certsrv/ > Download a CA certificate, certificate chain, or CRL > To trust certificates issued from this certification authority, install this CA certificate > certnew.csr SCP This across to /etc/pki/pulp_certs/ mv -v /home/admin/certnew.cer /etc/pki/pulp_certs/rootca.crt chown -v root.root /etc/pki/pulp_certs/rootca.crt cd /etc/pki/pulp_certs cat rootca.crt pulpca.crt > pulpca_chain.crt As per Randy's email: to add the certs in to the ca-bundle.crt to survive the RHEL package updates to the CA bundle. man update-ca-trust as explained in QUICK HELP 1: cp -v /etc/pki/pulp_certs/rootca.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust extract && echo $? *In the Apache Config:* vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/pulp_certs/pulp01.rap.local.crt SSLCertificateKeyFile /etc/pki/pulp_certs/pulp01.rap.local.key SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt = This should stay the same as we just updated our CA Trust??? https://pulp01.rap.local Now Apache is telling me the SSL is self signed and should not be trusted.... = Certificate Fail My next question is should I be using separate SSL Certs for Apache and PULP? As Pulp should read from Apache's SSL Certs I'd assume they would be the same? If they are seperate certificates to PULP is obviosuly not using the SSL Certs from Apache and seperate certifiates should be specified in? /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/pulp.conf /etc/pulp/admin/admin.conf /etc/pulp/server.conf Thanks for your time and look forward to understanding this better. On Thu, Oct 30, 2014 at 12:06 AM, Randy Barlow <rbar...@redhat.com> wrote: > If you don't mind, it's best to reply to the list in the future. > > On 10/28/2014 05:57 PM, Gavin Jones wrote: > > cat /etc/pki/entitlement/6666666.pem this is different to the one from > > the RHEL7 Customer Portal, as the one certificate listed from the > > Customer Portal looks to be a combination of > > /etc/pki/entitlement/6666666.pem and /etc/pki/entitlement/6666666-key.pem > > > > Maybe this is behind it and maybe I should be specifying only once cert > > when I create the repo? > > Pulp prefers to get the cert and key separately, so I don't think it is > important to combine them. > > > Option 1: > > > > I could get a free startssl cert, however does PULP really require a > > Public CA Signed Cert just to use it? A signed Cert from an internal > > root ca is not suffice? > > No, you can install your own CA on the host, which would make it a > trusted CA. See man update-ca-trust for more info on how to do that. > > > Option 2: This is on a local host, still made no difference :( > > > > vim /etc/pulp/admin/admin.conf > > verify_ssl = False > > systemctl restart httpd > > Do you have a ~/.pulp/admin.conf? If so, is verify_ssl set in there? > > > Option 3: > > > > I have been using the same certificates I generated for the httpd > > server, should I have not been doing this? I copied the certs I > > generated from /etc/pki/tls/certs and /etc/pki/tls/private into > > /etc/pki/pulp gave them the owner ship of root.apache and chmod 640 all > > certs files. > > You shouldn't need to put apache's certs in /etc/pki/pulp. The certs in > there are used by Pulp for authentication (the CA certs in there) and > for repository authorization, if you are using protected repos. > >
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list