On 03/13/2015 12:00 PM, Cristian Falcas wrote:
>> Pulp will set by default all repos to be protected. I'm trying to
>> see what needs to be done in order to use a default pulp
>> installation.
>> It will define the http configuration for repos with: 
>> WSGIAccessScript /srv/pulp/repo_auth.wsgi SSLVerifyClient
>> require

It's true that the WSGIAccessScript handles all SSL requests, but it
by default is permissive. To enable it, you would need to edit
/etc/pulp/repo_auth.conf and set [main] --> enabled to true. Is that
set to true on your system? If so, this might be your issue. Unless,
of course, you are trying to use repository protection.

If you are trying to use repository protection, I'm afraid you will
need something like Candlepin to create the client certificates for
you. Pulp itself does not generate the consumer certificates.

> A wild guess on my part, but perhaps your consumer is simply
> missing the certificate authority that signed the httpd server's
> certificate, and is complaining about the insecure SSL connection?
> If that is so, I think I can help ☺
>> You lost me here :). I don't understand what you are saying. I
>> have ca_path set.to the default value
>> (/etc/pki/tls/certs/ca-bundle.crt)

By default, we have verify_ssl set to true (it seems that you have set
that to false, based on the pulp.repo config you provided). Since you
have this set to false, it's not the issue you were running into.
However, I'll try to explain what I meant a little more clearly:

The consumer is connecting to Pulp via SSL. When this happens, httpd
presents the consumer with its SSL certificate, and the consumer is
given a chance to challenge that certificate with a nonce, to prove
that the server has the corresponding private key. During this
exchange, the consumer will also check that the server's certificate
is signed by a certificate authority that it trusts. Since httpd uses
a self-signed certificate by default, this signature validation step
will fail out of the box. Some users will set verify_ssl to false,
which basically disables this check, but also removes a significant
piece of the protection of SSL since you are no longer verifying the
identity of the Pulp server (i.e., you could be getting a MITM).

Another solution is to sign the httpd certificate with a CA that the
consumer trusts. You can do this by using your very own CA if you
install that CA public cert on the consumer, or you can buy a signed
certificate from any of the already trusted PKI vendors.

In my case, I've gone the route of having my own certificate
authority, so I can keep verify_ssl set to True, but I also don't have
to buy a certificate. It takes a little time to learn how to do it,
but once you know the ropes it's not that difficult. Besides saving
money, another benefit is that I don't have to wait on a third party
to have a signed certificate. In cases where you need the general
public to be able to establish trust, a custom CA isn't a great
solution since they won't have it installed, but I find it works well
for protecting myself when I'm the only user of a service.

