diff --git a/app/lib/katello/resources/candlepin.rb b/app/lib/katello/resources/candlepin.rb index 8cf753d379b..93a0f199cec 100644 --- a/app/lib/katello/resources/candlepin.rb +++ b/app/lib/katello/resources/candlepin.rb @@ -11,7 +11,7 @@ class CandlepinResource < HttpResource self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}" self.consumer_secret = cfg[:oauth_secret] self.consumer_key = cfg[:oauth_key] - self.ca_cert_file = cfg[:ca_cert_file] + self.ca_cert_file = ::Cert::Certs.backend_ca_cert_file(:candlepin) class << self def process_response(response) diff --git a/app/lib/katello/resources/registry.rb b/app/lib/katello/resources/registry.rb index 61e16d77163..ed6e9b9c107 100644 --- a/app/lib/katello/resources/registry.rb +++ b/app/lib/katello/resources/registry.rb @@ -31,7 +31,6 @@ def load_class uri = URI.parse(content_app_url) self.prefix = "/pulpcore_registry/" self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}" - self.ca_cert_file = Setting[:ssl_ca_file] pulp_primary.pulp3_ssl_configuration(self, :net_http) self diff --git a/app/models/katello/concerns/smart_proxy_extensions.rb b/app/models/katello/concerns/smart_proxy_extensions.rb index f6f667160f6..09993f1b418 100644 --- a/app/models/katello/concerns/smart_proxy_extensions.rb +++ b/app/models/katello/concerns/smart_proxy_extensions.rb @@ -188,6 +188,7 @@ def pulp3_configuration(config_class) end def pulp3_ssl_configuration(config, connection_adapter = Faraday.default_adapter) + config.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:pulp) if connection_adapter == :excon config.ssl_client_cert = ::Cert::Certs.ssl_client_cert_filename config.ssl_client_key = ::Cert::Certs.ssl_client_key_filename diff --git a/app/models/katello/ping.rb b/app/models/katello/ping.rb index 5074e802699..53909faa70b 100644 --- a/app/models/katello/ping.rb +++ b/app/models/katello/ping.rb @@ -263,12 +263,10 @@ def fetch_proxy(capsule_id) end def backend_status(url, backend) - ca_file = SETTINGS[:katello][backend][:ca_cert_file] + ca_file = ::Cert::Certs.backend_ca_cert_file(backend) request_id = ::Logging.mdc['request'] - options = {} options[:ssl_ca_file] = ca_file unless ca_file.nil? - options[:verify_ssl] = SETTINGS[:katello][backend][:verify_ssl] if SETTINGS[:katello][backend].key?(:verify_ssl) options[:headers] = { 'Correlation-ID' => request_id } if request_id client = RestClient::Resource.new("#{url}/status", options) diff --git a/app/services/cert/certs.rb b/app/services/cert/certs.rb index a611f8b5aa8..4ccc60b4276 100644 --- a/app/services/cert/certs.rb +++ b/app/services/cert/certs.rb @@ -9,7 +9,7 @@ def self.ca_cert end def self.candlepin_client_ca_cert - File.read(SETTINGS[:katello][:candlepin][:ca_cert_file]) + File.read(backend_ca_cert_file(:candlepin)) end def self.ssl_client_cert @@ -28,10 +28,14 @@ def self.ssl_client_key_filename Setting[:ssl_priv_key] end + def self.backend_ca_cert_file(backend) + SETTINGS.dig(:katello, backend, :ca_cert_file) || Setting[:ssl_ca_file] + end + def self.verify_ueber_cert(organization) ueber_cert = OpenSSL::X509::Certificate.new(self.ueber_cert(organization)[:cert]) cert_store = OpenSSL::X509::Store.new - cert_store.add_file SETTINGS[:katello][:candlepin][:ca_cert_file] + cert_store.add_file backend_ca_cert_file(:candlepin) organization.regenerate_ueber_cert unless cert_store.verify ueber_cert end end diff --git a/app/services/katello/pulp/server.rb b/app/services/katello/pulp/server.rb index 6c3fd3b2090..09dee16e51c 100644 --- a/app/services/katello/pulp/server.rb +++ b/app/services/katello/pulp/server.rb @@ -22,12 +22,11 @@ def self.config(url, user_remote_id) } } - if (ca_cert = SETTINGS[:katello][:pulp][:ca_cert_file]) + if (ca_cert = ::Cert::Certs.backend_ca_cert_file(:pulp)) runcible_params[:ca_cert_file] = ca_cert + runcible_params[:verify_ssl] = true end - runcible_params[:verify_ssl] = SETTINGS[:katello][:pulp][:verify_ssl] if SETTINGS[:katello][:pulp].key?(:verify_ssl) - Runcible::Instance.new(runcible_params) end end diff --git a/config/katello.yaml.example b/config/katello.yaml.example index c8c94ce5cef..60ab750b1ae 100644 --- a/config/katello.yaml.example +++ b/config/katello.yaml.example @@ -17,22 +17,16 @@ :oauth_key: katello :oauth_secret: katello - # refers to the candlepin-ca.crt location that is needed - # to connect to candlepin over https.This is not necessary - # if the candlepin server is running on the same machine as katello - # but required if the server is on a different machine. - # In the different machine case the katello host needs to have a - # copy of /etc/candlepin/certs/candlepin-ca.crt copied from - # the candlepin host and the location of the copied file needs to be - # specified here.. + # Optional CA file to user to verify HTTPS connections to Candlepin. If not + # specified, Foreman's ssl_ca_file setting is used. :ca_cert_file: # :bulk_load_size: 1000 # Setup your pulp environment here :pulp: :sync_threads: 4 # refers to the apache certificate - # (typically /etc/pki/tls/certs/localhost.crt) location that is needed - # to connect to pulp over https. + # Optional CA file to user to verify HTTPS connections to Candlepin. If not + # specified, Foreman's ssl_ca_file setting is used. :ca_cert_file: :default_login: admin :sync_KBlimit: