[Spacewalk-list] Getting SSL to work on SLES 11

Daryl Rose darylrose at outlook.com
Fri Aug 14 13:20:33 UTC 2015 

I have a follow up comment.  

According to the Red Hat documentation, I should be able to recreate the certification using the "spacewalk-hostname-rename", but that command is not on my system.  I ran an YUM list to see if I could install it, but nothing available.  

Is there another option to recreate the certificate?

Thanks

Daryl

________________________________________
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Daryl Rose <darylrose at outlook.com>
Sent: Friday, August 14, 2015 7:55 AM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Getting SSL to work on SLES 11

Sebastian,

Thank you for this information, but I'm still having problems.

I suspect that the issue is with the certification.

The self signed certification that is created when I stand up the SW server does not contain the FQDN of the SW server.  It contains just the server name.

When I attempt to retrieve updates from the server, I get an errors complaining that the serverURL in the up2date file does not match the SW name in the certificate.  RHEL allows me to change the serverURL to just the SW name.  It doesn't' seem to care if I use FQDN or not.  Whereas SLES requires FQDN in the certificate.

Last week I thought that I would try and recreate the certificate on my SW server, but I'm not very knowledge with certificates, and I just made things worse.  I did as for assistance on this list, but I got the certification to a point where I found it easier just to rebuild the entire SW server, which I did.

I rebuilt the server, which recreated the self signed cert.  But, I'm in the same position.  The certification only contains the name of the SW server, not the FQDN.  And again, SLES refuses to work with that cert.

This time I went to my internet team and requested an authentic signed company certification (a *.domain cert).  I put that in place of the SSL cert for Apache, and it works just fine.  However, I tried to use it for SW authentication, but I get an error about SSL certification verification.  Is it possible to use a signed certificate for SW authentication?  If not, how do I go about recreating the certification so it will include the FQDN of the SW server?

Thank you

Daryl Rose


________________________________________
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Sebastian Meyer <meyer at b1-systems.de>
Sent: Wednesday, August 12, 2015 12:14 PM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Getting SSL to work on SLES 11

Hi Daryl,

On 12.08.2015 18:30, Daryl Rose wrote:
>   *   ln -s /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /usr/share/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT.pem
>   *   update-ca-certificates

That step is for SLES12, not SLES11. For the latter you should use

> Anyway, I found a posting on this list from February of this year.  Bernd Helber and similar problems that I'm having and Michael Calmer provided this reply:
>
>
> Take care that the CA certificate is copied to /etc/ssl/certs/ with the suffix
> ".pem" and you run a "c_rehash /etc/ssl/certs/"
>
> E.g.:
> $> cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT \
>       /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem
> $> c_rehash /etc/ssl/certs/
>

As for the next error, that might be a problem with the OpenSSL 0.9.8 on
the SLES Client:
http://sourceforge.net/p/curl/bugs/1037/?limit=10&page=3#c9b6

> This allowed me to get past the first error that I was receiving, but now I have a different error.  I am now getting this error:
>
>
> ?<snip>?
> Download (curl) error for 'https://<FQ SW Server>/XMLRPC/GET-REQ/sles11sp3_channel/repodata/repomd.xml?head_requests=no':
> Error code: Unrecognized error
> Error message: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
>
> </snip>
>

Fully disabling SSLv3 on the Apache side might help. IIRC that's what
they do on SUSE Manager. If you don't have any SLES10 or EL4 clients
that should be okay. (Not sure about EL5)

There should be some file containing 'SSLProtocol all -SSLv2 ...' in the
apache/httpd config directory in /etc. If there's no '-SSLv3' in that
line, add it after the '-SSLv2' and restart/reload apache.

Best regards
Sebastian

--
Sebastian Meyer
Linux Consultant & Trainer

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list