[Spacewalk-list] Certificate expiry

Kobus Bensch kobus.bensch at trustpayglobal.com
Tue Jul 14 08:46:27 UTC 2015


Morning

I need some help please. This morning I got this message on the 
Spacewalk login:

Your satellite certificate has expired. Please visit the following link 
for steps on how to request or generate a new certificate: 
https://access.redhat.com/knowledge/tools/satcertYour satellite enters 
restricted period in 7 day(s).

So I followed the instructions here to get this resolved:

https://fedorahosted.org/spacewalk/wiki/CertCreation

Here is the steps I took:
gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Thu 12 Jul 2018 10:51:46 AM BST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Infrastructure_Team
Email address: infrastructure at company.com
Comment: Spacewalk Cert
You selected this USER-ID:
     "Infrastructure_Team (Spacewalk Cert) <infrastructure at company.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[12582]: directory `/root/.gnupg/private-keys-v1.d' created
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key C787B908 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-07-12
pub   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
       Key fingerprint = E0A9 C645 60C3 FAD1 4EE9  0388 1627 481B C787 B908
uid                  Infrastructure_Team (Spacewalk Cert) 
<infrastructure at company.com>
sub   4096R/113C619E 2015-07-13 [expires: 2018-07-12]

gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   1024D/F24F1B08 2002-04-23 [expired: 2004-04-22]
uid                  Red Hat, Inc (Red Hat Network) 
<rhn-feedback at redhat.com>

pub   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
uid                  Infrastructure_Team (Spacewalk Cert) 
<infrastructure at company.com>
sub   4096R/113C619E 2015-07-13 [expires: 2018-07-12]

[root at dc2pmzspw01 ~]# gpg --list-secret-keys
/root/.gnupg/secring.gpg
------------------------
sec   4096R/3E092771 2015-07-13 [expires: 2018-07-12]
uid                  Infrastructure Team (Spacewalk Cert) 
<infrastructure at company.com>
ssb   4096R/DCFD06A8 2015-07-13

sec   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
uid                  Infrastructure_Team (Spacewalk Cert) 
<infrastructure at company.com>
ssb   4096R/113C619E 2015-07-13

gpg --export -a C787B908 > spacewalk-key.gpg
gpg --export-secret-keys -a C787B908 > spacewalk-secretkey.gpg

gpg --keyring /etc/webapp-keyring-new.gpg --no-default-keyring --import 
spacewalk-key.gpg spacewalk-secretkey.gpg
gpg: keyring `/etc/webapp-keyring-new.gpg' created
gpg: key C787B908: public key "Infrastructure_Team (Spacewalk Cert) 
<infrastructure at company.com>" imported
gpg: key C787B908: already in secret keyring
gpg: Total number processed: 2
gpg:               imported: 1  (RSA: 1)
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

mv /etc/webapp-keyring.gpg /etc/webapp-keyring-old.gpg
mv /etc/webapp-keyring-new.gpg /etc/webapp-keyring.gpg

gpg --keyring /etc/webapp-keyring.gpg --no-default-keyring --list-keys
/etc/webapp-keyring.gpg
-----------------------
pub   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
uid                  Infrastructure_Team (Spacewalk Cert) 
<infrastructure at company.com>
sub   4096R/113C619E 2015-07-13 [expires: 2018-07-12]

./gen-oss-sat-cert.pl --orgid 1 --owner "Infrastructure_Team (Spacewalk 
Cert) <infrastructure at company.com>" --signer C787B908 --output 
spacewalk-cert.cert --expires "2018-07-13 00:00:00" --slots 200000 
--satellite-version spacewalk
Passphrase:
gpg: Signature made Mon 13 Jul 2015 11:07:12 AM BST using RSA key ID 
C787B908
gpg: Good signature from "Infrastructure_Team (Spacewalk Cert) 
<infrastructure at company.com>"
Signatures validation succeeded.
Certificate saved as tpgspacewalk-cert.cert

rhn-satellite-activate --sanity-only --rhn-cert=spacewalk-cert.cert
[no output]

rhn-satellite-activate --disconnected --rhn-cert=spacewalk-cert.cert
Certificate specifies 0 of virtualization_host_platform entitlements.
     There are 3000 entitlements allocated to non-base org(s) (0 used).
     You might need to deallocate some entitlements from non-base 
organization(s).
     You need to free 3000 entitlements to match the new certificate.
     In the WebUI, the entitlement is named Virtualization Host Platform.
Certificate specifies 0 of monitoring_entitled entitlements.
     There are 338 entitlements used by systems in the base (id 1) 
organization,
     plus 3000 entitlements allocated to non-base org(s) (26 used).
     You might need to unentitle some systems in the base organization,
     or deallocate some entitlements from non-base organization(s).
     You need to free 3338 entitlements to match the new certificate.
     In the WebUI, the entitlement is named Monitoring.
Certificate specifies 0 of virtualization_host entitlements.
     There are 3000 entitlements allocated to non-base org(s) (0 used).
     You might need to deallocate some entitlements from non-base 
organization(s).
     You need to free 3000 entitlements to match the new certificate.
     In the WebUI, the entitlement is named Virtualization Host.
Certificate specifies 0 of provisioning_entitled entitlements.
     There are 338 entitlements used by systems in the base (id 1) 
organization,
     plus 3000 entitlements allocated to non-base org(s) (26 used).
     You might need to unentitle some systems in the base organization,
     or deallocate some entitlements from non-base organization(s).
     You need to free 3338 entitlements to match the new certificate.
     In the WebUI, the entitlement is named Provisioning.
Activation failed, will now exit with no changes.


I have tried several different settings in the ./gen-oss-sat-cert.pl 
command but always the same.

Can anybody help please?

Thanks

Kobus

-- 


Trustpay Global Limited is an authorised Electronic Money Institution 
regulated by the Financial Conduct Authority registration number 900043. 
Company No 07427913 Registered in England and Wales with registered address 
130 Wood Street, London, EC2V 6DL, United Kingdom.

For further details please visit our website at www.trustpayglobal.com.

The information in this email and any attachments are confidential and 
remain the property of Trustpay Global Ltd unless agreed by contract. It is 
intended solely for the person to whom or the entity to which it is 
addressed. If you are not the intended recipient you may not use, disclose, 
copy, distribute, print or rely on the content of this email or its 
attachments. If this email has been received by you in error please advise 
the sender and delete the email from your system. Trustpay Global Ltd does 
not accept any liability for any personal view expressed in this message.




More information about the Spacewalk-list mailing list