[Spacewalk-list] Spacewalk Proxy 1.6 and non-self signed certificates
Scott Worthington
scott.c.worthington at gmail.com
Wed Dec 28 16:50:36 UTC 2011
Hello,
I am utilizing Spacewalk 1.6 with non-self-signed SSL certificate
provided by a commercial CA (a requirement in my environment due to
PCI compliance).
I successfully followed (pardon the URL)...
http://unfuckablelinux.com/2008/07/02/spacewalk-and-avoiding-self-signed-certificates/
...to install a valid SSL certificate into Spacewalk. This server has
been in production tracking 1.6-nightly and now 1.6-release since Sept
2011, and it is working well.
I am now creating a Spacewalk Proxy 1.6.
When running the automation script 'configure-proxy.sh', you must copy
the the files three files RHN-ORG-PRIVATE-SSL-KEY,
RHN-ORG-TRUSTED-SSL-CERT, and rhn-ca-openssl.cnf from the main
Spacewalk server in /root/ssl-build.
Because I am not using a self-signed SSL cert on the main Spacewalk
server, the script fails with:
Using configuration from /root/ssl-build/rhn-ca-openssl.cnf
CA certificate and CA private key do not match
140222874289992:error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch:x509_cmp.c:325:
I am uncertain if anyone else has set up their main Spacewalk server
with a non-self-signed SSL certificate and then attempted to set up a
Spacewalk Proxy.
Since the automation script, /usr/sbin/configure-proxy.sh, fails on
line 500 when it is trying to build the SSL certificate, I will be
manually generating the instructions & process for installing
non-self-signed SSL cert into a Spacewalk Proxy.
If you are interested in that process, please let me know and I'll
post my how-to on this list to successfully get a Spacewalk Proxy 1.6
to use a non-self-signed SSL cert.
Best,
ScottW
More information about the Spacewalk-list
mailing list