[Spacewalk-list] Certificate expiry

Cliff Perry cperry at redhat.com
Mon Jul 13 10:32:00 UTC 2015 

On 13/07/15 11:20, Kobus Bensch wrote:
> Morning
>
> I need some help please. This morning I got this message on the
> Spacewalk login:
>
> Your satellite certificate has expired. Please visit the following link
> for steps on how to request or generate a new certificate:
> https://access.redhat.com/knowledge/tools/satcertYour satellite enters
> restricted period in 7 day(s).
>
> So I followed the instructions here to get this resolved:
>
> https://fedorahosted.org/spacewalk/wiki/CertCreation
>
> Here is the steps I took:
> gpg --gen-key
> gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Please select what kind of key you want:
>     (1) RSA and RSA (default)
>     (2) DSA and Elgamal
>     (3) DSA (sign only)
>     (4) RSA (sign only)
> Your selection? 1
> RSA keys may be between 1024 and 4096 bits long.
> What keysize do you want? (2048) 4096
> Requested keysize is 4096 bits
> Please specify how long the key should be valid.
>           0 = key does not expire
>        <n>  = key expires in n days
>        <n>w = key expires in n weeks
>        <n>m = key expires in n months
>        <n>y = key expires in n years
> Key is valid for? (0) 3y
> Key expires at Thu 12 Jul 2018 10:51:46 AM BST
> Is this correct? (y/N) y
>
> GnuPG needs to construct a user ID to identify your key.
>
> Real name: Infrastructure_Team
> Email address: infrastructure at company.com
> Comment: Spacewalk Cert
> You selected this USER-ID:
>      "Infrastructure_Team (Spacewalk Cert) <infrastructure at company.com>"
>
> Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
> You need a Passphrase to protect your secret key.
>
> can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
> gpg-agent[12582]: directory `/root/.gnupg/private-keys-v1.d' created
> We need to generate a lot of random bytes. It is a good idea to perform
> some other action (type on the keyboard, move the mouse, utilize the
> disks) during the prime generation; this gives the random number
> generator a better chance to gain enough entropy.
> We need to generate a lot of random bytes. It is a good idea to perform
> some other action (type on the keyboard, move the mouse, utilize the
> disks) during the prime generation; this gives the random number
> generator a better chance to gain enough entropy.
> gpg: key C787B908 marked as ultimately trusted
> public and secret key created and signed.
>
> gpg: checking the trustdb
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
> gpg: next trustdb check due at 2018-07-12
> pub   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
>        Key fingerprint = E0A9 C645 60C3 FAD1 4EE9  0388 1627 481B C787 B908
> uid                  Infrastructure_Team (Spacewalk Cert)
> <infrastructure at company.com>
> sub   4096R/113C619E 2015-07-13 [expires: 2018-07-12]
>
> gpg --list-keys
> /root/.gnupg/pubring.gpg
> ------------------------
> pub   1024D/F24F1B08 2002-04-23 [expired: 2004-04-22]
> uid                  Red Hat, Inc (Red Hat Network)
> <rhn-feedback at redhat.com>
>
> pub   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
> uid                  Infrastructure_Team (Spacewalk Cert)
> <infrastructure at company.com>
> sub   4096R/113C619E 2015-07-13 [expires: 2018-07-12]
>
> [root at dc2pmzspw01 ~]# gpg --list-secret-keys
> /root/.gnupg/secring.gpg
> ------------------------
> sec   4096R/3E092771 2015-07-13 [expires: 2018-07-12]
> uid                  Infrastructure Team (Spacewalk Cert)
> <infrastructure at company.com>
> ssb   4096R/DCFD06A8 2015-07-13
>
> sec   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
> uid                  Infrastructure_Team (Spacewalk Cert)
> <infrastructure at company.com>
> ssb   4096R/113C619E 2015-07-13
>
> gpg --export -a C787B908 > spacewalk-key.gpg
> gpg --export-secret-keys -a C787B908 > spacewalk-secretkey.gpg
>
> gpg --keyring /etc/webapp-keyring-new.gpg --no-default-keyring --import
> spacewalk-key.gpg spacewalk-secretkey.gpg
> gpg: keyring `/etc/webapp-keyring-new.gpg' created
> gpg: key C787B908: public key "Infrastructure_Team (Spacewalk Cert)
> <infrastructure at company.com>" imported
> gpg: key C787B908: already in secret keyring
> gpg: Total number processed: 2
> gpg:               imported: 1  (RSA: 1)
> gpg:       secret keys read: 1
> gpg:  secret keys unchanged: 1
>
> mv /etc/webapp-keyring.gpg /etc/webapp-keyring-old.gpg
> mv /etc/webapp-keyring-new.gpg /etc/webapp-keyring.gpg
>
> gpg --keyring /etc/webapp-keyring.gpg --no-default-keyring --list-keys
> /etc/webapp-keyring.gpg
> -----------------------
> pub   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
> uid                  Infrastructure_Team (Spacewalk Cert)
> <infrastructure at company.com>
> sub   4096R/113C619E 2015-07-13 [expires: 2018-07-12]
>
> ./gen-oss-sat-cert.pl --orgid 1 --owner "Infrastructure_Team (Spacewalk
> Cert) <infrastructure at company.com>" --signer C787B908 --output
> spacewalk-cert.cert --expires "2018-07-13 00:00:00" --slots 200000
> --satellite-version spacewalk
> Passphrase:
> gpg: Signature made Mon 13 Jul 2015 11:07:12 AM BST using RSA key ID
> C787B908
> gpg: Good signature from "Infrastructure_Team (Spacewalk Cert)
> <infrastructure at company.com>"
> Signatures validation succeeded.
> Certificate saved as tpgspacewalk-cert.cert
>
> rhn-satellite-activate --sanity-only --rhn-cert=spacewalk-cert.cert
> [no output]
>
> rhn-satellite-activate --disconnected --rhn-cert=spacewalk-cert.cert
> Certificate specifies 0 of virtualization_host_platform entitlements.
>      There are 3000 entitlements allocated to non-base org(s) (0 used).
>      You might need to deallocate some entitlements from non-base
> organization(s).
>      You need to free 3000 entitlements to match the new certificate.
>      In the WebUI, the entitlement is named Virtualization Host Platform.
> Certificate specifies 0 of monitoring_entitled entitlements.
>      There are 338 entitlements used by systems in the base (id 1)
> organization,
>      plus 3000 entitlements allocated to non-base org(s) (26 used).
>      You might need to unentitle some systems in the base organization,
>      or deallocate some entitlements from non-base organization(s).
>      You need to free 3338 entitlements to match the new certificate.
>      In the WebUI, the entitlement is named Monitoring.
> Certificate specifies 0 of virtualization_host entitlements.
>      There are 3000 entitlements allocated to non-base org(s) (0 used).
>      You might need to deallocate some entitlements from non-base
> organization(s).
>      You need to free 3000 entitlements to match the new certificate.
>      In the WebUI, the entitlement is named Virtualization Host.
> Certificate specifies 0 of provisioning_entitled entitlements.
>      There are 338 entitlements used by systems in the base (id 1)
> organization,
>      plus 3000 entitlements allocated to non-base org(s) (26 used).
>      You might need to unentitle some systems in the base organization,
>      or deallocate some entitlements from non-base organization(s).
>      You need to free 3338 entitlements to match the new certificate.
>      In the WebUI, the entitlement is named Provisioning.
> Activation failed, will now exit with no changes.
>
>
> I have tried several different settings in the ./gen-oss-sat-cert.pl
> command but always the same.
>
> Can anybody help please?
>
> Thanks
>
> Kobus
>
> Trustpay Global Limited is an authorised Electronic Money Institution
> regulated by the Financial Conduct Authority registration number 900043.
> Company No 07427913 Registered in England and Wales with registered
> address 130 Wood Street, London, EC2V 6DL, United Kingdom.
>
> For further details please visit our website at www.trustpayglobal.com
> <http://www.trustpayglobal.com>.
>
> The information in this email and any attachments are confidential and
> remain the property of Trustpay Global Ltd unless agreed by contract. It
> is intended solely for the person to whom or the entity to which it is
> addressed. If you are not the intended recipient you may not use,
> disclose, copy, distribute, print or rely on the content of this email
> or its attachments. If this email has been received by you in error
> please advise the sender and delete the email from your system. Trustpay
> Global Ltd does not accept any liability for any personal view expressed
> in this message.
>
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>

Hi - can you confirm the version of Spacewalk being used?

The old Certificate used expired today. We generated a new one a year ago:

https://github.com/spacewalkproject/spacewalk/blob/ca2c784eaff062b36f5f464affc50c2a2d21fa6a/branding/setup/spacewalk-public.cert

For now, it is safe to ignore the warning - please give us some time to 
provide our recommended solution here. Since not everyone has upgraded 
yet to Spacewalk 2.3.

Regards,
Cliff

More information about the Spacewalk-list mailing list