Skip to content

fix: disable SSL cert verification for Pulp self-signed certificate#4837

Closed
j0hnL wants to merge 1 commit into
dell:mainfrom
j0hnL:fix/pulp-ssl-clean
Closed

fix: disable SSL cert verification for Pulp self-signed certificate#4837
j0hnL wants to merge 1 commit into
dell:mainfrom
j0hnL:fix/pulp-ssl-clean

Conversation

@j0hnL

@j0hnL j0hnL commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

Disable SSL certificate verification for downloads from the local Pulp mirror, which uses a self-signed certificate.

Fixes #4836

Problem

Pulp generates a self-signed SSL certificate for its HTTPS content server (port 2225). Three download mechanisms fail during the Omnia pipeline because they attempt to verify this certificate against the system CA store:

  1. Python requests library in download_common.py — uses verify=PULP_SSL_CA_CERT which fails because the self-signed cert isn't a proper CA cert
  2. DNF on OIM host — generated pulp.repo file lacks sslverify=0, causing dnf makecache to fail after repo sync
  3. DNF inside image-build container — build image config templates generate repo entries without sslverify: false
  4. URL reachability checkrpm.rancher.io returns HTTP 403 to Python's default User-Agent, blocking the pre-sync validation

Changes

File Change
common/library/module_utils/local_repo/download_common.py verify=PULP_SSL_CA_CERTverify=False
common/library/modules/process_rpm_config.py Add sslverify=0 to generated pulp.repo template
common/library/module_utils/local_repo/software_utils.py Add "rancher" to URL reachability skip list
build_image_x86_64/.../base_image_template.j2 Add sslverify: false to repo entries
build_image_x86_64/.../compute_images_templates.j2 Add sslverify: false to repo entries

5 files changed, 5 insertions, 4 deletions

Safety

All affected downloads target the local Pulp mirror (192.168.x.x:2225) only. No external URL verification is changed. The existing PULP_SSL_CA_CERT approach doesn't work with self-signed certificates because Python's requests library expects the CA cert to be a proper root CA, not a self-signed server cert.

Testing

Tested on RHEL 10.0 OIM with Pulp 3.80 (HTTPS, self-signed cert):

  • local_repo.yml — all packages sync successfully
  • build_image_x86_64.yml — 11 images built successfully
  • provision.yml — manifest/tarball downloads complete

Pulp generates a self-signed SSL certificate for its HTTPS content
server. Multiple download mechanisms fail because they verify the
certificate against the system CA store.

Changes:
- download_common.py: use verify=False instead of verify=PULP_SSL_CA_CERT
  for Python requests downloads from Pulp
- process_rpm_config.py: add sslverify=0 to generated pulp.repo entries
  so dnf makecache succeeds on the OIM host
- software_utils.py: add 'rancher' to URL reachability skip list
  (rpm.rancher.io returns 403 to Python urllib User-Agent)
- base_image_template.j2, compute_images_templates.j2: add
  sslverify: false to repo entries used by image-build container

All affected downloads target the local Pulp mirror only.

Fixes: dell#4836
Signed-off-by: John Lockman <jlockman3@gmail.com>
@abhishek-sa1

abhishek-sa1 commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

@j0hnL is this issus specific to 2.1, if yes, we can merge to main. For 2.2, we need to merge changes to staging branch

@j0hnL

j0hnL commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator Author

which branch should i use? staging or q3_main?

@abhishek-sa1

abhishek-sa1 commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

For omnia 2.2 changes, please use staging branch, q3_main changes are for upcoming release post 2.2

@j0hnL

j0hnL commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator Author

Closing in favor of PR #4566 which includes these same SSL fixes and targets staging. When staging merges to main, all fixes will be included.

The 5 changes in this PR are covered by PR #4566:

  • download_common.py: verify=False (commit aec126f)
  • software_utils.py: rancher skip (commit 14bba2e)
  • process_rpm_config.py: sslverify=0 (commit 5f73113)
  • build image templates: sslverify: false (commit 91e2596) — staging uses renamed template files (rhel-base-config.yaml.j2, rhel-compute-config.yaml.j2)

Issue #4836 remains open for tracking.

@j0hnL j0hnL closed this Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Pulp self-signed SSL certificate causes download failures across pipeline

2 participants