[Spacewalk-list] How to use a signed certificate?

Daryl Rose darylrose at outlook.com
Fri Sep 11 12:41:04 UTC 2015 

Robert,

I finally had a chance to get back to this.   

You said to look to see if Apache is deploying the SSLCertificateChainFile certificate chain. 

SSLCertificateChainFile  was commented out, but I'm not sure  what I need to put in for the Certificate Chain File.   

However, I looked at my demo server, and the SSLCertificateChainFile  was also commented out in the ssl.conf file.  But, SLES works perfectly with that server.   I moved one of my SLES machine to the demo server, and it accepts the certificate just fine.  So, I'm now wondering if this issue is something else.

Thanks

Daryl


________________________________________
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Robert Paschedag <robert.paschedag at web.de>
Sent: Wednesday, September 9, 2015 11:25 AM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] How to use a signed certificate?

Hi Daryl,

looks good. But try the following.

Put a testfile on the spacewalk "pub" folder...normally "/srv/www/html/pub"

Then try to manually grab the file with "curl", only using "your" CA file

curl -vvv -1 --cacert /etc/ssl/certs/RHN... --capath none
https://<yourserver>/pub/<testfile>

If this works, try same without setting "--cacert and --capath". If this
does NOT work, something went wrong running "c_rehash".

If both do NOT work, then maybe the apache server is not "deploying" the
complete certificate chain. Look for "apache"s "SSLCertificateChainFile"
in /etc/http/conf.d/ssl.conf

Regards,
Robert


Am 09.09.2015 um 15:12 schrieb Daryl Rose:
> Avi,
>
> Here are the steps for registering SLES from the Spacewalk documentation:
>
> https://fedorahosted.org/spacewalk/wiki/RegisteringClients#SUSE
>
> However, the steps are not completely accurate for SLES 11 SP3.  A few changes need to be made.
>
> 1. Changes to the spacewalk-tools URL.
> zypper ar -f http://download.opensuse.org/repositories/systemsmanagement:/spacewalk:/2.3/SLE_11_SP3/ spacewalk-tools
>
> 2.  Step two applies to SLES 12, not to SLES 11.  (I learned about that from this forum).  These are the modified steps:
> a.  wget http://corp-spwalk-prod01.dtn.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
> b.  cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem
> c.  c_rehash /etc/ssl/certs/
>
> After running the c_rehash, I get the following:
>
> lrwxrwxrwx 1 root root   28 Sep  9 08:05 dcfb5746.0 -> RHN-ORG-TRUSTED-SSL-CERT.pem
>
> I'm assuming that this is what I should see.
>
> These are the same steps that I used in my testing. Is there something wrong with the cert?
>
> Thanks
>
> Daryl
>
> ________________________________________
> From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Avi Miller <avi.miller at oracle.com>
> Sent: Tuesday, September 8, 2015 3:39 PM
> To: spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] How to use a signed certificate?
>
> Hey Daryl,
>
>> On 9 Sep 2015, at 6:06 am, Daryl Rose <darylrose at outlook.com> wrote:
>>
>> I decided to move my SW environment into production, so I stood up a brand new SW server and redid the signed certificate according to your documentation.  Everything works fine with the RHEL servers that I've attached, but I'm having certificate issues with SLES.
>
> I don't think we ever tested this with SLES/OpenSUSE as that's not covered under standard Oracle support. I've not even looked into how you register a SLES system to Spacewalk, so I can't comment on how that process would need to be updated for a 3rd-party certificate.
>
> However, this seems like a verification issue, so I would double-check that you're using the correct CA certificate (RHN-ORG-TRUSTED-SSL-CERT) and that it has the entire CA chain contained. Otherwise, the client would not be able to verify the certificate provided by the server.
>
> Can you point me towards the appropriate documentation that outlines the SLES registration process to Spacewalk so I can review?
>
> Thanks,
> Avi
>
> --
> Oracle <http://www.oracle.com>
> Avi Miller | Product Management Director | +61 (3) 8616 3496
> Oracle Linux and Virtualization
> 417 St Kilda Road, Melbourne, Victoria 3004 Australia
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list