[Spacewalk-list] Spacewalk Kickstart ISO Certificate invalid

Johannes Raff j.raff at clue.ch
Wed Apr 27 07:54:09 UTC 2016 

This kickstart is not done in a local spacewalk network but from our Lab, which has only a NATed Internet connection and reaches the spacewalk through the internet, so it shares the firewalls external IP with another Spacewalk client and yes, there is no PXE possibility.

The DHCP (no PXE) in this network should be fine, since the kickstart was able to connect to the spacewalk and download the KS file as well as all packages.

For the reverse Lookup, it’s correct, there is no reverse lookup entry for the IP, but it never existed and the kickstart from the ISO worked. Does there has to be a reverse entry? I can’t see the IP in the certificate, only the FQDN. The certificate has never been updated / resigned.

Many thanks
Johannes




> On 27 Apr 2016, at 2:43 AM, prmarino1 at gmail.com wrote:
> 
> Correction
> 
>   Original Message  
> From: prmarino1 at gmail.com
> Sent: Tuesday, April 26, 2016 20:37
> To: Johannes Raff; spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] Spacewalk Kickstart ISO Certificate invalid
> 
> Sounds like something changed in your network.
> If PXE/dhcp works I would compare what the DNS settings are.
> I assume that if you are booting off of a CD it's because DHCP isn't available or its going to a different DHCP server that doesn't offer PXE.‎
> I would suspect that there is a reverse lookup issue, 
> Example
> Original
> Spacewalk.mycompany.com A 192.168.1.25
> 25.1.168.192 A spacewalk.mycompany.com
> New version
> Servera25.mycompany.com A 192.168.1.25
> ‎25.1.168.192 A servera2d.mycompany.com
> Spacewalk.mycompany.com Cname servera25
> 
> Assuming the local DNS has the cname in the new config should be fine, the original config should be fine too, but if you mix and match the foreword A record from the original with the reverse lookup record from the new version the SSL cert will not verify correctly.
> 
>   Original Message  
> From: Johannes Raff
> Sent: Tuesday, April 26, 2016 17:59
> To: spacewalk-list at redhat.com
> Reply To: spacewalk-list at redhat.com
> Subject: [Spacewalk-list] Spacewalk Kickstart ISO Certificate invalid
> 
> Hi,
> 
> we are running Spacewalk 2.4 on CentOS 6.6 with three Organisations. The setup has been started on version 2.0 and has always been updated. So far we had no problems but suddenly the kickstarting through a cobbler iso doesn’t work anymore.
> 
> we restarted Spacewalk, executed cobbler sync and cobbler buildiso. After that booting from the ISO, I can select the profile and the setup starts. after the setup, the machine comes up but is not registered with the Organisation in spacewalk. After reading through the logs, I find, that the /var/log/up2date log shows a invalid certificate error. if I start the run_register manually and using https, I can not move over the connection information. If I use rhnreg_ks, I have the Certificate error again.
> 
> If I switch to http: I can input the username and password, in the last step I get the error 70 though which says that the profile has no free allocations, which is not correct. I have verified the certificate, it is the right certificate (same md5) then on the server or an existing host, it has the correct hostname in the cert and in the kickstart file and the name resolution works well and it is valid.
> 
> If I book a machine in the DHCP connected network, I get the profiles from PXE and after selecting the correct profile, the setup and registration works without a issue.
> 
> This behaviour has appeared just recently, not straight after an upgrade of spacewalk. The Centos patches have been update recently.
> 
> Does anyone had a similar issue like this or could someone recommend next steps.
> 
> Many Thanks
> Johannes
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list