diff --git a/app/lib/katello/http_resource.rb b/app/lib/katello/http_resource.rb index 82551f48be2..dcc9c11ec93 100644 --- a/app/lib/katello/http_resource.rb +++ b/app/lib/katello/http_resource.rb @@ -18,8 +18,8 @@ def initialize(params) include Katello::Concerns::FilterSensitiveData - class_attribute :consumer_secret, :consumer_key, :ca_cert_file, :prefix, :site, :default_headers, - :ssl_client_cert, :ssl_client_key + class_attribute :consumer_secret, :consumer_key, :prefix, :site, :default_headers, + :ssl_client_cert, :ssl_client_key, :ssl_ca_file attr_reader :json @@ -128,7 +128,7 @@ def rest_client(http_type, method, path) :authorize_path => "", :access_token_path => ""} - params[:ca_file] = self.ca_cert_file unless self.ca_cert_file.nil? + params[:ca_file] = self.ssl_ca_file unless self.ssl_ca_file.nil? # New OAuth consumer to setup signing the request consumer = OAuth::Consumer.new(self.consumer_key, self.consumer_secret, @@ -147,7 +147,7 @@ def rest_client(http_type, method, path) :open_timeout => SETTINGS[:katello][:rest_client_timeout], :timeout => SETTINGS[:katello][:rest_client_timeout] } - options[:ssl_ca_file] = self.ca_cert_file unless self.ca_cert_file.nil? + options[:ssl_ca_file] = self.ssl_ca_file unless self.ssl_ca_file.nil? options[:ssl_client_cert] = self.ssl_client_cert unless self.ssl_client_cert.nil? options[:ssl_client_key] = self.ssl_client_key unless self.ssl_client_key.nil? diff --git a/app/lib/katello/resources/candlepin.rb b/app/lib/katello/resources/candlepin.rb index beca732a2bf..f9c3b0f5bfe 100644 --- a/app/lib/katello/resources/candlepin.rb +++ b/app/lib/katello/resources/candlepin.rb @@ -11,7 +11,7 @@ class CandlepinResource < HttpResource self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}" self.consumer_secret = cfg[:oauth_secret] self.consumer_key = cfg[:oauth_key] - self.ca_cert_file = cfg[:ca_cert_file] + self.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:candlepin) class << self def process_response(response) diff --git a/app/lib/katello/resources/registry.rb b/app/lib/katello/resources/registry.rb index 92cc0a3289f..3a49a1b14df 100644 --- a/app/lib/katello/resources/registry.rb +++ b/app/lib/katello/resources/registry.rb @@ -54,7 +54,6 @@ def load_class uri = URI.parse(content_app_url) self.prefix = "/pulpcore_registry/" self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}" - self.ca_cert_file = Setting[:ssl_ca_file] pulp_primary.pulp3_ssl_configuration(self, :net_http) self diff --git a/app/models/katello/concerns/smart_proxy_extensions.rb b/app/models/katello/concerns/smart_proxy_extensions.rb index f16f2f3c259..f13bc57889c 100644 --- a/app/models/katello/concerns/smart_proxy_extensions.rb +++ b/app/models/katello/concerns/smart_proxy_extensions.rb @@ -252,6 +252,7 @@ def pulp3_configuration(config_class) end def pulp3_ssl_configuration(config, connection_adapter = Faraday.default_adapter) + config.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:pulp) case connection_adapter when :excon config.ssl_client_cert = ::Cert::Certs.ssl_client_cert_filename @@ -260,7 +261,7 @@ def pulp3_ssl_configuration(config, connection_adapter = Faraday.default_adapter config.ssl_client_cert = ::Cert::Certs.ssl_client_cert config.ssl_client_key = ::Cert::Certs.ssl_client_key else - fail "Unexpected connection_adapter #{Faraday.default_adapter}! Cannot continue, this is likely a bug." + fail "Unexpected connection_adapter #{connection_adapter}! Cannot continue, this is likely a bug." end end diff --git a/app/models/katello/ping.rb b/app/models/katello/ping.rb index 3d78229167f..3eb1bac4500 100644 --- a/app/models/katello/ping.rb +++ b/app/models/katello/ping.rb @@ -252,12 +252,11 @@ def fetch_proxy(capsule_id) end def backend_status(url, backend) - ca_file = SETTINGS[:katello][backend][:ca_cert_file] + ca_file = ::Cert::Certs.backend_ca_cert_file(backend) request_id = ::Logging.mdc['request'] options = {} options[:ssl_ca_file] = ca_file unless ca_file.nil? - options[:verify_ssl] = SETTINGS[:katello][backend][:verify_ssl] if SETTINGS[:katello][backend].key?(:verify_ssl) options[:headers] = { 'Correlation-ID' => request_id } if request_id client = RestClient::Resource.new("#{url}/status/", options) diff --git a/app/services/cert/certs.rb b/app/services/cert/certs.rb index a611f8b5aa8..4ccc60b4276 100644 --- a/app/services/cert/certs.rb +++ b/app/services/cert/certs.rb @@ -9,7 +9,7 @@ def self.ca_cert end def self.candlepin_client_ca_cert - File.read(SETTINGS[:katello][:candlepin][:ca_cert_file]) + File.read(backend_ca_cert_file(:candlepin)) end def self.ssl_client_cert @@ -28,10 +28,14 @@ def self.ssl_client_key_filename Setting[:ssl_priv_key] end + def self.backend_ca_cert_file(backend) + SETTINGS.dig(:katello, backend, :ca_cert_file) || Setting[:ssl_ca_file] + end + def self.verify_ueber_cert(organization) ueber_cert = OpenSSL::X509::Certificate.new(self.ueber_cert(organization)[:cert]) cert_store = OpenSSL::X509::Store.new - cert_store.add_file SETTINGS[:katello][:candlepin][:ca_cert_file] + cert_store.add_file backend_ca_cert_file(:candlepin) organization.regenerate_ueber_cert unless cert_store.verify ueber_cert end end diff --git a/config/katello.yaml.example b/config/katello.yaml.example index e7de21ac536..2ce31b9e1f1 100644 --- a/config/katello.yaml.example +++ b/config/katello.yaml.example @@ -17,22 +17,16 @@ :oauth_key: katello :oauth_secret: katello - # refers to the candlepin-ca.crt location that is needed - # to connect to candlepin over https.This is not necessary - # if the candlepin server is running on the same machine as katello - # but required if the server is on a different machine. - # In the different machine case the katello host needs to have a - # copy of /etc/candlepin/certs/candlepin-ca.crt copied from - # the candlepin host and the location of the copied file needs to be - # specified here.. + # Optional CA file to user to verify HTTPS connections to Candlepin. If not + # specified, Foreman's ssl_ca_file setting is used. :ca_cert_file: # :bulk_load_size: 1000 # Setup your pulp environment here :pulp: :sync_threads: 4 # refers to the apache certificate - # (typically /etc/pki/tls/certs/localhost.crt) location that is needed - # to connect to pulp over https. + # Optional CA file to user to verify HTTPS connections to Candlepin. If not + # specified, Foreman's ssl_ca_file setting is used. :ca_cert_file: :default_login: admin :sync_KBlimit: