YUM

From Unix Wiki
Jump to: navigation, search

Yum SSL certificate protected repository

Intro

In case if one requires somehow to protect publicly available yum repository it's possible to protect it using client-server certificates. What one need to know about yum repository:

  1. Yum repository is a number of files (rpm and repodata service files);
  2. Yum repository need to be accessible via http or https;

To create service files one can use standard utility which is called "createrepo" it's available in many Linux distributions and even in FreeBSD.

Files can be served by your favourite web server. For next example we will use nginx.

Main idea about protecting repository is to give each client certificate and authenticate them on web server. If certificate is not valid or missing web server will return error. Yum have two repository variables which allows it to specify client ssl certificate and key (sslclientcert and sslclientkey).

OpenSSL

To prepare web server one need right ssl certificates. Please see detailed OpenSSL tutorial here: series on being your own certificate authority

  • Create root CA key (aes256 encryption requires passphrase):
openssl genrsa -aes256 -out ca.key 4096
  • Create root CA cert:
openssl req -new -x509 -days 3650 -key ca.key -extensions v3_ca -out ca.crt
  • Create client key:
openssl genrsa -out client1.key 2048
  • Create client CSR:
openssl req -new -key client1.key -out client1.csr
  • Sign client CSR:
openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 3650

Certificate Revoke List

  • Revoke:
openssl ca -keyfile ca.key -cert ca.crt -revoke client1.crt
  • Update db:
openssl ca -keyfile ca.key -cert ca.crt -gencrl -out ca.crl

Nginx

Nginx supports client certificate auth: Add following lines to server section:

server {
    listen 80;

    server_name  repo.EXAMPLE.com;
    return 301 https://repo.EXAMPLE.com$request_uri;
}
server {
    listen          443;

    ssl_certificate        /etc/nginx/certs/EXMAPLE.cert.pem; # Simple HTTPS configuration
    ssl_certificate_key    /etc/nginx/certs/EXAMPLE.key.pem;  # Simple HTTPS configuration
    ssl_client_certificate ca.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
    ssl_session_timeout  5m;
    ssl_crl                ca.crl;

    server_name     repo.EXAMPLE.com;
	
    location / { 
        proxy_pass          http://XXXXXXXXXXX:80; # Forward all requests to upstream unprotected web server
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    Host repo.EXAMPLE.com;
    }
}

YUM

Yum configuration is rather simple:

[EXAMPLE]
name=EXAMPLE repository
baseurl=https://repo.EXAMPLE.com/centos/6/$basearch
enabled=1
sslverify=1 # Set to 0 if one using self signed certificates
gpgcheck=1
sslclientcert=/var/lib/yum/client1.cert.pem
sslclientkey=/var/lib/yum/client1.key.pem