[opensuse-autoinstall] Installation via HTTPS client certificate
Hi list, I'm trying an auto installation (SLES11-SP1) via HTTPS and authentication with client certificates. To achieve this I copied CA certificate and client certificate into initrd, executed c_rehash and edited /root/.curlrc within initrd to know about the certificates: --capath = /etc/ssl/certs/ --cert = /etc/ssl/client/xyz profile is specified like https://10.1.1.1/xml/ Unfortunately yast is still not able to fetch the profile. When I do an ssh based installation ending up in the dialog where yast failes I'm able to get the profile from a second ssh console via curl without specifying any cert parameters: curl https://10.1.1.1/xml/default shows the content of default file. A check from outside the installation environment without specifying a certificate fails with SSL Handshake error and proves that the virtual host configuration seems ok. The opposite check where I provided certificate parameters to curl from outside worked as well. /var/log/YaST/y2log within installation environment shows: CurlConfig.cc(parseConfig):44 Going to parse /root/.curlrc 2011-07-26 06:17:00 <1> 10.0.4.96(3544) [zypp++] CurlConfig.cc(parseConfig):106 GOT: capath 2011-07-26 06:17:00 <1> 10.0.4.96(3544) [zypp++] CurlConfig.cc(setParameter):178 Ignoring option capath 2011-07-26 06:17:00 <1> 10.0.4.96(3544) [zypp++] CurlConfig.cc(parseConfig):106 GOT: cert 2011-07-26 06:17:00 <1> 10.0.4.96(3544) [zypp++] CurlConfig.cc(setParameter):178 Ignoring option cert which leads to the assumption that yast is not considering options from /root/.curlrc? Does anybody know how to configure yast/curl to accept parameters from .curlrc? Another attempt could be to use aria2c within initrd since following line is displayed in y2log: aria2c not found. Falling back to curl But will yast consider any certificate parameters for aria2c or will I end with the same problem finally? Thanks, Jochen -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
on Tuesday 26 July 2011 Jochen Schaefer wrote:
which leads to the assumption that yast is not considering options from /root/.curlrc?
it's not really yast We are using libcurl and libcurl is not reading the file The lines you see are just a hack to read some parameters like proxy fro the curlrc by zypp (at least that's my assumption because libcurl ignores the curlrc but proxy settings were needed)
Does anybody know how to configure yast/curl to accept parameters from .curlrc?
I don't know a way but if you find one, I'd be interested. The curlrc file is only for the commandline tool and is actually independent from the library -- ciao, Uwe Gansert Uwe Gansert SUSE LINUX Products GmbH, HRB 16746 (AG Nürnberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer Home: http://www.suse.de/~ug - Blog: http://suse.gansert.net listening to: "Unterm Galgen" by Subway to Sally -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
Hi Uwe, I'm nearly giving up with my attempt to use client certifcate based auth. I didn't find a solution how to tell libcurl to use a certain certificate and the appropriate capath until now. However I got aria2c working within inst environment by using dud's for aria2 and libsqlite3 (needed by aria2). I'm wondering why yast is using aria2c for retriewing of packages from install source but not for autoyast relevant meta data like profile and rules. I see all package access via aria2c in apache ssl.log (client-cert auth disabled in this case). But /xml/default is retrieved via curl. This logsnippet from y2log shows that aria2c is executed as external program: ExternalProgram.cc(start_program):221 Executing 'aria2c' '--user-agent=ZYpp 6.31.4 (aria2 version 1.11.2) ' '--summary-interval=1' '--follow-metalink=mem' '-- check-integrity=true' '--file-allocation=none' '--server-stat-of=/var/cache/zypp/aria2.stats' '--server-stat-if=/var/cache/zypp/aria2.stats' '--uri-selector=adaptive' '--use-head=false' '--max-tries=5' '--ma x-concurrent-downloads=2' '--header=X-ZYpp-AnonymousId:' '--header=X-ZYpp-DistributionFlavor:' '--header=Pragma:' '--connect-timeout=180' '--dir=/var/adm/mount/AP_0x00000001/media.1' 'http://10.0.4.221/sles1 1sp1_x86_64/CD1/media.1/products' which means it reads /root/.aria2/aria2.conf where I put the certificate options in. Executing same command like above with cert options in aria2.conf retrieved the products file like desired. So the questions are: If aria2c is available why is it not used for the whole autoyast remote network connections Would it be senseful to have an enhancement request for that or are there some drawbacks which I'm not aware of Thanks, Jochen
Uwe Gansert <ug@suse.de> schrieb am 7/26/2011 um 10.48 Uhr in Nachricht <201107261048.26017.ug@suse.de>: on Tuesday 26 July 2011 Jochen Schaefer wrote:
which leads to the assumption that yast is not considering options from /root/.curlrc?
it's not really yast We are using libcurl and libcurl is not reading the file The lines you see are just a hack to read some parameters like proxy fro the
curlrc by zypp (at least that's my assumption because libcurl ignores the curlrc but proxy settings were needed)
Does anybody know how to configure yast/curl to accept parameters from .curlrc?
I don't know a way but if you find one, I'd be interested. The curlrc file is only for the commandline tool and is actually independent
from the library
-- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
on Wednesday 27 July 2011 Jochen Schaefer wrote:
However I got aria2c working within inst environment by using dud's for aria2 and libsqlite3 (needed by aria2). I'm wondering why yast is using aria2c for retriewing of packages from install source but not for autoyast relevant meta data like profile and rules.
because those are two completely independent and different parts. Developed by different people at different times in different projects. One is zypp, the other one is yast2-transfer. BTW, zypp is not using (supporting) aria2c anymore because it's simply broken und unreliable (aria2c I mean). multicurl is the new black and is used by zypp now but yast2-transfer is still on libcurl
So the questions are: If aria2c is available why is it not used for the whole autoyast remote network connections Would it be senseful to have an enhancement request for that or are there some drawbacks which I'm not aware of
I don't think that makes sense since we are on multicurl in the meantime. Maybe an evaluation of multicurl for yast2-transfer would make sense but I don't want to put aria2c support into it. -- ciao, Uwe Gansert Uwe Gansert SUSE LINUX Products GmbH, HRB 16746 (AG Nürnberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer Home: http://www.suse.de/~ug - Blog: http://suse.gansert.net listening to: "All the Time (Urceus Exit Remix)" by Edge of Dawn -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
Hi Uwe, I don't rely on aria2. What we need is the possibility to have some influence on the network transfer options like having client-cert based https auth (I need that for a PCI projekt in the moment). But other requests of this kind may be follow in the future. So if multicurl does fulfill this requirement I would like to see it for yast2-transfer as well. That would also simplify development process if the same libraries will be used for yast-transfer and package-transfer. Thanks, Jochen
Uwe Gansert <ug@suse.de> schrieb am 7/27/2011 um 14.45 Uhr in Nachricht <201107271445.36179.ug@suse.de>: on Wednesday 27 July 2011 Jochen Schaefer wrote:
However I got aria2c working within inst environment by using dud's for aria2 and libsqlite3 (needed by aria2). I'm wondering why yast is using aria2c for retriewing of packages from install source but not for autoyast relevant meta data like profile and rules.
because those are two completely independent and different parts. Developed by different people at different times in different projects. One is zypp, the other one is yast2-transfer. BTW, zypp is not using (supporting) aria2c anymore because it's simply broken und unreliable (aria2c I mean). multicurl is the new black and is used by zypp now but yast2-transfer is still on libcurl
So the questions are: If aria2c is available why is it not used for the whole autoyast remote network connections Would it be senseful to have an enhancement request for that or are there some drawbacks which I'm not aware of
I don't think that makes sense since we are on multicurl in the meantime. Maybe an evaluation of multicurl for yast2-transfer would make sense but I don't want to put aria2c support into it.
-- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
on Wednesday 27 July 2011 Jochen Schaefer wrote:
I don't rely on aria2. What we need is the possibility to have some influence on the network transfer options like having client-cert based https auth (I need that for a PCI projekt in the moment). But other requests of this kind may be follow in the future.
sure, client certs support for HTTPS makes sense as a feature request
So if multicurl does fulfill this requirement I would like to see it for yast2-transfer as well.
I don't know much about multicurl yet but if I get a feature request, I'll find the time to look into it and maybe adapt yast2-transfer. But for SLES11 SP2 it's a bit late I think. -- ciao, Uwe Gansert Uwe Gansert SUSE LINUX Products GmbH, HRB 16746 (AG Nürnberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer Home: http://www.suse.de/~ug - Blog: http://suse.gansert.net listening to: "Zauberschloß" by In Strict Confidence -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
participants (2)
-
Jochen Schaefer -
Uwe Gansert