[Spacewalk-list] [EXT] Issues with proxy and certificates

Daryl Rose darylrose at outlook.com
Thu May 5 15:19:50 UTC 2016 

Sam,


Unfortunately, this did not resolve my issue.  I still get the exact same error:


ERROR: can't find a file that should have been created during an earlier step:

       /root/ssl-build/rhn-ca-openssl.cnf


I tried the --force-own-ca option on the command line, as well as "FORCE_OWN_CA" in an answers file.

Any other suggestions?

Thank you.

Daryl

________________________________
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Sam Sen <ssen at ariasystems.com>
Sent: Thursday, May 5, 2016 9:20 AM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] [EXT] Issues with proxy and certificates

Yeah I never understood why you would need to sign the CA against the parent server. I spent days trying to get it to work but luckily I found the thread I pasted in the previous email. It's been working real well so I'm assuming all is well.



On May 5, 2016, at 10:16 AM, Daryl Rose <darylrose at outlook.com<mailto:darylrose at outlook.com>> wrote:

Sam,

I saw that option in the help, but didn't understand what it meant.  I'll give that a try.

Thank you very much for the reply and the help.

Daryl


________________________________
From: spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.com> <spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.com>> on behalf of Sam Sen <ssen at ariasystems.com<mailto:ssen at ariasystems.com>>
Sent: Thursday, May 5, 2016 8:15 AM
To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
Subject: Re: [Spacewalk-list] [EXT] Issues with proxy and certificates

I ran into a similar issue. I ended up using the "-force-own-ca" flag.

https://www.redhat.com/archives/spacewalk-list/2011-December/msg00147.html



On May 5, 2016, at 8:53 AM, Daryl Rose <darylrose at outlook.com<mailto:darylrose at outlook.com>> wrote:

I am trying to stand up a proxy server.  However, I am having issues with the certificate.

I am using a CA signed certificate on the primary SW server. Proxy installation prompts me copy over three certificate items from the primary SW server.


[root@ ssl-build]# configure-proxy.sh

Using RHN parent (from /etc/sysconfig/rhn/up2date): <spacewalk server>

Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT

Please do copy your CA key and public certificate from <spacewalk server> to

/root/ssl-build directory. You may want to execute this command:

 scp 'root@<spacewalk server>:/root/ssl-build/{RHN-ORG-PRIVATE-SSL-KEY,RHN-ORG-TRUSTED-SSL-CERT,rhn-ca-openssl.cnf}' /root/ssl-build


I have RHN-ORG-PRIVATE-SSL-KEY and RHN-ORG-TRUSTED-SSL-CERT, but I don't have a rhn-ca-openssl.cnf file.  If I try to install without that file I get the following error:


ERROR: can't find a file that should have been created during an earlier step:

       /root/ssl-build/rhn-ca-openssl.cnf


So, I tried creating one using the rhn-ssl-tool command:


rhn-ssl-tool --gen-ca --password=MY_CA_PASSWORD --dir="/root/ssl-build" \

--set-state="North Carolina" --set-city="Raleigh" --set-org="Example Inc." \

--set-org-unit="SSL CA Unit"

However, this did not work.  I get the following error:


ERROR: web server's SSL certificate generation/signing failed:


Using configuration from /root/ssl-build/rhn-ca-openssl.cnf

CA certificate and CA private key do not match

139757325297480:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331:


Any way to get around this error?  Can I create the rhn-ca-openssl.cnf file from the existing cert?

Thank you.

Daryl
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20160505/d89c00ec/attachment.htm>

More information about the Spacewalk-list mailing list