Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update yum/dnf documentation on how .repo files can be configured to present a client cert and key #142

Open
pulpbot opened this issue Jan 4, 2022 · 1 comment
Open

Update yum/dnf documentation on how .repo files can be configured to present a client cert and key #142

pulpbot opened this issue Jan 4, 2022 · 1 comment
Labels
Documentation High Task

Comments

@pulpbot
Copy link
Member

pulpbot commented Jan 4, 2022

Author: @bmbouter (bmbouter)

Redmine Issue: 6830, https://pulp.plan.io/issues/6830

The cert and key from clients now occur during TLS submission. That means these docs are out of date.

We should update the docs to show how a yum/dnf client can be configured to submit the cert and key via TLS.
@pulpbot
Copy link
Member Author

pulpbot commented Jan 4, 2022

From: OnceUponALoop (OnceUponALoop)
Date: 2020-06-08T15:29:20Z

Hey all - I just watched the "Pulp certguard Tour - 2020.05.20" youtube video, thank you for putting that together it was useful.

I especially appreciate the dev overview of the code structure in the end. It makes it easier to jump in by saving all the "what the hell is going on here" upfront cost.

Regarding the yum configuration - I'm familiar enough with the topic that I thought I could respond to the videos request for yum x509-auth configuration details.

Yum x509

Yum can either have the x509 cert info in the it's main configuration or in each repo configuration.

Assuming we've already configure Pulp and have placed the required certificates in /etc/pki/entitelments/ (this is the default RHSM path, I'm not sure if there's a more standards-compliant path)

  • Global

    Define the x509 info in /etc/yum.conf and it will apply to all repos.

    .

     [main]
 
 # x509 Auth Info
 sslclientcert   = /etc/pki/entitlement/<user-cert>.pem
 sslclientkey    = /etc/pki/entitlement/<user-key>.pem
 sslcacert       = /etc/pki/entitlement/<ca-cert>.pem

    To exclude a certain repo from the x509 configuration, update the repo configuration as follows

     [pulp-repo-clear]
 name            = Unprotected Repo - Global x509 is configured
 baseurl         = http://pulp.example.com/content/rpm/pulp-repo-clear
 sslverify       = 1
 enabled         = 1
 gpgcheck        = 1
 gpgkey          = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PULP-REPO-CLEAR
 # Auth Not Needed
 sslclientcert = _none_
 sslclientkey  = _none_
 sslcacert     = _none_

  • Per Repo

    Define the x509 info for each repo that supports certguard (if repos have different certguards) in /etc/yum.repos.d/<repo-name>.repo

    This is probably the most straightforward implementation, and should be recommended as it avoids all the corner cases as well.

     [pulp-repo-cg]
 name            = Cert Guard Protected Repo
 baseurl         = http://pulp.example.com/content/rpm/pulp-repo-cg
 sslverify       = 1
 enabled         = 1
 gpgcheck        = 1
 gpgkey          = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-MYREPO
 # x509 Auth
 sslclientcert   = /etc/pki/entitlement/<user-cert>.pem
 sslclientkey    = /etc/pki/entitlement/<user-key>.pem
 sslcacert       = /etc/pki/entitlement/<ca-cert>.pem

@paralllax paralllax mentioned this issue Apr 7, 2022
Closed
@dralley dralley removed New labels Oct 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Documentation High Task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dralley @pulpbot