On Fri, Mar 13, 2015 at 5:47 PM, Randy Barlow <rbar...@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/13/2015 08:51 AM, Cristian Falcas wrote:
>> For a consumer that binds to a repo, yum will be configured with
>> ssl, but will not have any certificates defined. I don't know what
>> files should I put for sslclientcert and sslclientkey.
>
> Hello Cristian!
>
> You only need these setting configured if you are configuring the
> consumers to connect to a "protected" repository. If you do that, I
> believe Pulp should fill out those settings for you. Are you using a
> protected repository?
Pulp will set by default all repos to be protected. I'm trying to see
what needs to be done in order to use a default pulp installation.
It will define the http configuration for repos with:
WSGIAccessScript /srv/pulp/repo_auth.wsgi
SSLVerifyClient require
>
>> Also, can the "pulp-consumer rpm bind" command be used to set the
>> certificates also? Currently, with the default configuration of
>> pulp, all access is rejected.
>
> Yes, binding the consumer to the repository should configure those
> settings in the case that you have configured protection.
>
> I get the sense (not empirically) that not many of our users use
> repository protection. If you aren't doing that, perhaps there is a
> different issue happening. Can you share the specific error messages
> you are seeing?
The error is from the apache and it says something about
/srv/pulp/repo_auth.wsgi rejecting the connection.
This is the resul of binding to a repo:
cat /etc/yum.repos.d/pulp.repo
#
# Pulp Repositories
# Managed by Pulp client
#
[pulp_beta]
name = pulp_beta
enabled = 1
sslverify = 0
gpgcheck = 0
Like you see, there are no certificates added. Also, I don't know
where are the certificates created.
>
> A wild guess on my part, but perhaps your consumer is simply missing
> the certificate authority that signed the httpd server's certificate,
> and is complaining about the insecure SSL connection? If that is so, I
> think I can help ☺
You lost me here :). I don't understand what you are saying. I have
ca_path set.to the default value (/etc/pki/tls/certs/ca-bundle.crt)
>
> - --
> Randy Barlow
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJVAwaaAAoJEIyFaKUJtmpippgP/3JDEOIWIar/8U6DB4Q9V7eG
> jAJFye3dfVWpLMcUqdMUrc8zW57tff2dIhDUvxcu2Lf49/u6ePooLEQH/prRKkfe
> VwryKE6Y65w5umJua95ZXH2RL/vyYnS3+1bHFNUXOIUkpSVALCgt0/pBs9gjY9zd
> DT69EjZe+yvFUmIaDYvG/byQ0NF1y1gYZu8aeCvNpTXO4wokrZgeEnXZOguE0xsN
> owZSL2Y24RJ0nOVEnoG7Ovd+6MoOQnUZ+KB5mUxWYugLR+nYTbGiFOKqa6UhLwLp
> jxI7fizXEGQgF4bus2t6wIZN//e2nL9mwo44UIvHU6TaT8bjtZnuuws/e6pzwVpI
> Ov+L1zthCloNgOFtXdFSlHMliga0kQLbyuyVx37uoCBJHY7298f5u/GmNK9AaRF0
> +rX7g8SzY3p/qjC0whCTphqmUbwvejgEU41xcZNw9qXD1ufE2MEjBqHlN5CaYrQ8
> WRgPKRMtlHSPnjJ/6gj0HF5GqEkO27SKQG6d41+12vOYDnSRhVM4xnh2yXlIXveA
> Uy/NFfy6Qk4MnhrT13zhrzvq1StY7j9cjuaNtIGVO0DiUE2Tl2SZEMXykV136uar
> Z2xI4ioOFFHFawHYzkYd5Ucxj6kSNBS60qCJb0mUz0lna8pOOpZ9bDe0VwLR9Z/i
> YvswtIKW7O13qCzSL5fi
> =ykc5
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list@redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
_______________________________________________
Pulp-list mailing list
Pulp-list@redhat.com
https://www.redhat.com/mailman/listinfo/pulp-list
