[Spacewalk-list] Spacewalk 2.1 | SSL Certificate Invalid when using HTTPS for host registration
Robert Paschedag
robert.paschedag at web.de
Tue Jul 18 04:57:11 UTC 2017
Am 18. Juli 2017 02:34:25 MESZ schrieb Francis Lee Mondia <endace.francis.mondia at gmail.com>:
>Hi Robert,
>
>Thanks for the tips. Was able to login to the postgresql db with the
>credentials stored on the rhn.conf file. Tried to delete the referenced
>ky
>but I think the error is legit, as postgresql is enforcing a key
>constraint
>on the two tables so as not to have inconsistent keys. I dug into the
>table
>and I see that are are other keys inserted which I think were the ones
>I
>made and installed when I installed the newly-built rpms. I now think I
>don't need to do this step (delete the key) and look for another
>solution.
>
>
>I got another lead though which might get me to the bottom of this
>issue.
>I've followed the article on red hat titled "SSL certificate validation
>failure when attempting to register against RHN". One of the
>troubleshooting steps is to check the SSL certificate chain. Turns out
>I
>have a self-signed certificate in my chain which was causing
>verification
>issues.
>
>Anyone experiencing the same and have tips on how to resolve it?
>
>Kind regards,
>Francis
>
>On Tue, Jul 18, 2017 at 4:36 AM, Robert Paschedag
><robert.paschedag at web.de>
>wrote:
>
>> Am 17. Juli 2017 16:16:50 MESZ schrieb "Paschedag, Robert" <
>> paschedag.netlution at swr.de>:
>> >The credentials for the postgres db should be stored within
>> >/etc/rhn/rhn.conf on the satellite server.
>> >
>> >By default, this is
>> >
>> >User: rhnuser
>> >PW: rhnpw
>> >DB: rhnschema
>> >
>> >So..switching to user postgres
>> >
>> >Su – postgres
>> >
>> >And
>> >
>> >psql -U <user> -d <DB>
>> >
>> >and entering password should give you access.
>> >
>> >There is also a command to “set” the password
>> >
>> >
>> >
>> >
>> >Mit freundlichen Grüßen
>> >
>> >Robert Paschedag
>> >Netlution GmbH
>> >Landteilstr. 33
>> >68163 Mannheim
>> >
>> >im Auftrag des
>> >SWR
>> >Südwestrundfunk
>> >HA IT, Medientechnik und Programmverbreitung
>> >Neckarstraße 230
>> >70190 Stuttgart
>> >
>> >Telefon +49 (0)711 /929-12654 oder
>> >Telefon +49 (0)711 /929-13714
>> >paschedag.netlution at swr.de
>> >
>> >swr.de
>> >
>> >Von: spacewalk-list-bounces at redhat.com
>> >[mailto:spacewalk-list-bounces at redhat.com] Im Auftrag von Vipul
>Sharma
>> >(GDC)
>> >Gesendet: Montag, 17. Juli 2017 14:12
>> >An: Francis Lee Mondia <endace.francis.mondia at gmail.com>
>> >Cc: spacewalk-list at redhat.com
>> >Betreff: Re: [Spacewalk-list] Spacewalk 2.1 | SSL Certificate
>Invalid
>> >when using HTTPS for host registration
>> >
>> >Hey,
>> >Do you remember the password you used when creating the DB - Please
>try
>> >this password given below -
>> >
>> >Database - spaceschema
>> >
>> >Username - spaceuser
>> >
>> >Password - spacepw
>> >
>> >
>> >#psql DBNAME USERNAME
>> >
>> >On Mon, Jul 17, 2017 at 4:45 PM, Francis Lee Mondia
>>
>><endace.francis.mondia at gmail.com<mailto:endace.francis.mondia at gmail.com>>
>> >wrote:
>> >Hi Vipul,
>> >
>> >Yes, the service is running as evidenced by the output. The problem
>as
>> >shown in the error message was that postgres actually can't update
>or
>> >delete the table stated due to a foreign key constraint validation
>on a
>> >table.
>> >
>> >There's a post on the list about it and the recommendation was to
>> >remove it. Any ideas how to remove it from the DB? I'd actually like
>to
>> >log-in to postgres and delete this key being referenced (assuming I
>> >know the password for postgres).
>> >
>> >Kind regards,
>> >Francis
>> >
>> >On Mon, Jul 17, 2017 at 10:23 PM, Vipul Sharma (GDC)
>> ><sharma.vipul at in.g4s.com<mailto:sharma.vipul at in.g4s.com>> wrote:
>> >Hey,
>> >When you are running step 8 - Make sure spacewalk service is
>running,
>> >I'm hoping you've must have stopped the service. Service is
>important
>> >to push the data to postgres.
>> >Thanks
>> > V
>> >
>> >On Mon, Jul 17, 2017 at 3:28 PM, Francis Lee Mondia
>>
>><endace.francis.mondia at gmail.com<mailto:endace.francis.mondia at gmail.com>>
>> >wrote:
>> >Hi Vipul,
>> >
>> >Thanks for the response.
>> >
>> >Still the same, I'm failing on step 8 on this guide
>>
>>(https://github.com/spacewalkproject/spacewalk/wiki/ChangeCaCert<https://
>>
>emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%
>> 2Fspacewalkproject%2Fspacewalk%2Fwiki%2FChangeCaCert&data=02%7C01%
>> 7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%
>>
>7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948648506&sdata=
>> 6uTbKGUyx0DTFigKnfdy2kpc2bbLjoESTWBn%2BucL9to%3D&reserved=0>):
>> >
>> >[root at spw01 ~]# rhn-ssl-dbstore -vvv --ca-cert
>> >/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
>> >Public CA SSL certificate: /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
>> >
>> >ERROR: unhandled exception occurred:
>> >Traceback (most recent call last):
>> > File "/usr/bin/rhn-ssl-dbstore", line 43, in <module>
>> > sys.exit(abs(mod.main() or 0))
>> >File
>> >"/usr/lib/python2.6/site-packages/spacewalk/satellite_
>> tools/rhn_ssl_dbstore.py",
>> >line 79, in main
>> >satCerts.store_rhnCryptoKey(values.label, values.ca_cert,
>> >verbosity=values.verbose)
>> >File
>>
>>"/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>> >line 673, in store_rhnCryptoKey
>> > verbosity=verbosity)
>> >File
>>
>>"/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>> >line 614, in _checkCertMatch_rhnCryptoKey
>> > h.execute(rhn_cryptokey_id=rhn_cryptokey_id)
>> >File
>>
>>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>> >line 153, in execute
>> > return apply(self._execute_wrapper, (self._execute, ) + p, kw)
>> >File
>> >"/usr/lib/python2.6/site-packages/spacewalk/server/
>> rhnSQL/driver_postgresql.py",
>> >line 290, in _execute_wrapper
>> > retval = apply(function, p, kw)
>> >File
>>
>>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>> >line 207, in _execute
>> > return self._execute_(args, kwargs)
>> >File
>> >"/usr/lib/python2.6/site-packages/spacewalk/server/
>> rhnSQL/driver_postgresql.py",
>> >line 309, in _execute_
>> > self._real_cursor.execute(self.sql, params)
>> >psycopg2.IntegrityError: update or delete on table "rhncryptokey"
>> >violates foreign key constraint "rhn_csssl_cacertid_fk" on table
>> >"rhncontentsourcessl"
>> >DETAIL: Key (id)=(1) is still referenced from table
>> >"rhncontentsourcessl".
>> >
>> >
>> >I think the issue is because the server's RHNS-CA-CERT is expired. I
>> >found this
>> >[https://www.centos.org/forums/viewtopic.php?t=49388<h
>> ttps://emea01.safelinks.protection.outlook.com/?url=
>> https%3A%2F%2Fwww.centos.org%2Fforums%2Fviewtopic.php%3Ft%
>> 3D49388&data=02%7C01%7CPaschedag.Netlution%40swr.de%
>> 7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81
>>
>f62d%7C0%7C0%7C636358903948648506&sdata=aahJV2c4U9lhprmcK0t105rV6DLA6G
>> b7frlWWQUciA0%3D&reserved=0>]
>> >but it's referencing a red hat article which is for RHEL 5.
>> >
>> >Where do I get an updated RHNS-CA-CERT?
>> >
>> >On Sun, Jul 16, 2017 at 10:53 AM, Vipul Sharma (GDC)
>> ><sharma.vipul at in.g4s.com<mailto:sharma.vipul at in.g4s.com>> wrote:
>> >I completely forgot one thing --
>> >
>> >In the above given command - --set-org-unit should be same as
>> >--set-common-name. They should be the FQDN only.
>> >
>> >On Sun, Jul 16, 2017 at 4:20 AM, Vipul Sharma (GDC)
>> ><sharma.vipul at in.g4s.com<mailto:sharma.vipul at in.g4s.com>> wrote:
>> >Hi Francis,
>> >
>> >In order to configure Spacewalk successfully - Follow these steps -
>> >
>> >Make sure your Hostname & FQDN are same.
>> >
>> >ex - HOSTNAME =
>> >abc.abc.com<https://emea01.safelinks.protection.outlook.
>> com/?url=http%3A%2F%2Fabc.abc.com&data=02%7C01%7CPaschedag.
>> Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%
>>
>7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948648506&sdata=
>> VkXU9aiUQv7Ozusm1hYoZjkjdtmNIe80keWpY3Lb9vw%3D&reserved=0>
>> >FQDN =
>> >abc.abc.com<https://emea01.safelinks.protection.outlook.
>> com/?url=http%3A%2F%2Fabc.abc.com&data=02%7C01%7CPaschedag.
>> Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%
>>
>7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=
>> Npd3Evj28Im5AkpcqdE3jYToagiDzUUOgxR3RTqHplI%3D&reserved=0>
>> >
>> >Now,
>> >
>> >Regenerate all the Certs & Keys --
>> >
>> >* First change the hostname to FQDN
>> >
>> >/usr/bin/rhn-ssl-tool --gen-ca --set-country="abc"
>--set-state="abc"
>> >--set-city="abc" --set-org="abc"
>> >--set-org-unit="abc.com<https://emea01.safelinks.
>> protection.outlook.com/?url=http%3A%2F%2Fabc.com&data=02%
>>
>7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%
>>
>7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=
>> IeWBvGsEH7IoYaHm74tn8Y1r9YOUFcoVhYQYLEmsxdM%3D&reserved=0>"
>> >--set-common-name="abc"
>> >--set-email="admin.com<https://emea01.safelinks.protection.
>> outlook.com/?url=http%3A%2F%2Fadmin.com&data=02%7C01%
>> 7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%
>>
>7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=
>> Orc0yjfy2ky0BuNN1HXD6CKD1mLwtRnXtq7UFVONyT0%3D&reserved=0>"
>> >--force
>> >
>> >*To generate new web-server keys --
>> >
>> >/usr/bin/rhn-ssl-tool --gen-server --set-country="abc"
>> >--set-state="abc" --set-city="abc" --set-org="abc"
>> >--set-org-unit="abc.com<https://emea01.safelinks.
>> protection.outlook.com/?url=http%3A%2F%2Fabc.com&data=02%
>>
>7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%
>>
>7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=
>> IeWBvGsEH7IoYaHm74tn8Y1r9YOUFcoVhYQYLEmsxdM%3D&reserved=0>"
>> >--set-email="admin.com<https://emea01.safelinks.protection.
>> outlook.com/?url=http%3A%2F%2Fadmin.com&data=02%7C01%
>> 7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%
>>
>7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=
>> Orc0yjfy2ky0BuNN1HXD6CKD1mLwtRnXtq7UFVONyT0%3D&reserved=0>"
>> >
>> >*How to update the changes made to CA and web-server --
>> >
>>
>>https://github.com/spacewalkproject/spacewalk/wiki/ChangeCaCert<https://
>>
>emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%
>> 2Fspacewalkproject%2Fspacewalk%2Fwiki%2FChangeCaCert&data=02%7C01%
>> 7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%
>>
>7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=
>> uCijKeCu2h4oEINDB7vqfknIdpFPYndnFqVZ%2B5Cr2DA%3D&reserved=0>
>> >
>> >Thanks
>> > V
>> >
>> >On Sun, Jul 16, 2017 at 2:00 AM, Francis Lee Mondia
>>
>><endace.francis.mondia at gmail.com<mailto:endace.francis.mondia at gmail.com>>
>> >wrote:
>> >Hi Michael,
>> >
>> >Thanks for the reply!
>> >
>> >On the following suggestions:
>> >1. Upgrade to latest version - definitely but I want to settle the
>SSL
>> >issue first (might just do this next week though if SSL isn't
>resolved)
>> >2. Spacewalk-hostname-rename
>> >- I've done this but haven't resolved the issue. Had to google how
>to
>> >install the certificate which led me to
>> >https://access.redhat.com/solutions/10809<https://
>> emea01.safelinks.protection.outlook.com/?url=https%3A%2F%
>> 2Faccess.redhat.com%2Fsolutions%2F10809&data=02%
>>
>7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%
>>
>7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=
>> kapJlAemcHWzc%2B3yMpcvzs2lq4JFZaR%2BmReUQpv%2FIdc%3D&reserved=0>
>> >- Followed that guide in just installing the certificate (copying
>> >rpms, re-installing, etc) but decided to do the the whole shebang
>> >instead after encountering the same issue
>> >- now I'm stuck with this:
>> >
>> >[root at spacewalkserver ~]# rhn-ssl-dbstore
>> >--ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT -vvvvvvvv
>> >Public CA SSL certificate:
>/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
>> >Nothing to do: certificate to be pushed matches certificate in
>> >database.
>> >Nothing to do: certificate to be pushed matches certificate in
>> >database.
>> >
>> >ERROR: unhandled exception occurred:
>> >Traceback (most recent call last):
>> > File "/usr/bin/rhn-ssl-dbstore", line 43, in <module>
>> > sys.exit(abs(mod.main() or 0))
>> >File
>> >"/usr/lib/python2.6/site-packages/spacewalk/satellite_
>> tools/rhn_ssl_dbstore.py",
>> >line 79, in main
>> >satCerts.store_rhnCryptoKey(values.label, values.ca_cert,
>> >verbosity=values.verbose)
>> >File
>>
>>"/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>> >line 673, in store_rhnCryptoKey
>> > verbosity=verbosity)
>> >File
>>
>>"/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>> >line 614, in _checkCertMatch_rhnCryptoKey
>> > h.execute(rhn_cryptokey_id=rhn_cryptokey_id)
>> >File
>>
>>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>> >line 153, in execute
>> > return apply(self._execute_wrapper, (self._execute, ) + p, kw)
>> >File
>> >"/usr/lib/python2.6/site-packages/spacewalk/server/
>> rhnSQL/driver_postgresql.py",
>> >line 290, in _execute_wrapper
>> > retval = apply(function, p, kw)
>> >File
>>
>>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>> >line 207, in _execute
>> > return self._execute_(args, kwargs)
>> >File
>> >"/usr/lib/python2.6/site-packages/spacewalk/server/
>> rhnSQL/driver_postgresql.py",
>> >line 309, in _execute_
>> > self._real_cursor.execute(self.sql, params)
>> >psycopg2.IntegrityError: update or delete on table "rhncryptokey"
>> >violates foreign key constraint "rhn_csssl_cacertid_fk" on table
>> >"rhncontentsourcessl"
>> >DETAIL: Key (id)=(1) is still referenced from table
>> >"rhncontentsourcessl".
>> >
>> >
>> >- I've found this:
>> >[https://www.redhat.com/archives/spacewalk-list/2016-
>> January/msg00046.html<https://emea01.safelinks.protection.
>> outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%
>> 2Fspacewalk-list%2F2016-January%2Fmsg00046.html&data=
>>
>02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%
>>
>7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=
>> aObzHeFK8Cnmze6MkZeMTptWi%2BUK6CJyqvwRi8hBJkQ%3D&reserved=0>]
>> >which states I should remove the assignment first. THIS I DON'T KNOW
>> >HOW TO DO.
>> >- I think it's this
>> >[http://gatwards.org/techblog/replacing-spacewalk-ssl-certificates<
>> https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%
>> 2Fgatwards.org%2Ftechblog%2Freplacing-spacewalk-ssl-
>> certificates&data=02%7C01%7CPaschedag.Netlution%40swr.de%
>> 7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81
>> f62d%7C0%7C0%7C636358903948658518&sdata=Nfw6HCtk99eotgWR%
>> 2Bsh5DxM0UUKUrh21Z3wOTH24kcQ%3D&reserved=0>]
>> >shows how to do it but I'm adamant to delete the only pair on it.
>I've
>> >deleted all expired certs before.
>> >
>> >Thanks in advance.
>> >
>> >Kind regards,
>> >Francis
>> >
>> >On Fri, Jul 14, 2017 at 11:35 PM, Michael Mraka
>> ><michael.mraka at redhat.com<mailto:michael.mraka at redhat.com>> wrote:
>> >Francis Lee Mondia:
>> >> Hi All,
>> >>
>> >> Sorry for this seemingly noob question but I'm new to spacewalk
>and
>> >just
>> >> inherited a system which was not being used for about 2 years and
>now
>> >I've
>> >> been tasked to revive it.
>> >
>> >Hi,
>> >
>> >First of all I'd suggest upgrade to latest Spacewalk (2.6) because
>> >there
>> >were a lot of bugs fixed since then (including security issues).
>> >
>> >> So I've got the system running, updated the channels, repos and
>now
>> >came
>> >> the process of re-adding hosts to the system. I was being shown
>the
>> >SSL
>> >> certicate error as I think the certificate has expired. I can
>> >register
>> >> hosts fine without SSL, and can push package updates to hosts fine
>> >without
>> >> it. I do want to resolve this though moving forward. I've tried
>the
>> >> numerous suggestions I can find (we have a red hat subscription so
>> >was able
>> >> to try their solutions too but none worked).
>> >
>> >Install spacewalk-utils package and run spacewalk-hostname-rename
>> >script.
>> >It will regenerate all SSL certs.
>> >
>> >> I'd also like to know though if upgrading spacewalk to a newer
>> >version
>> >> install a new SSL cert. When we first took a look at the system,
>we
>> >
>> >AFAIR upgrade will not change SSL certs.
>> >
>> >> couldn't log-in as the satellite certificate was expired and we
>had
>> >to
>> >> generate one from red hat support to be able to log back in.
>> >>
>> >> Hoping for some guidance on this from the community.
>> >>
>> >> Kind regards,
>> >> Francis
>> >
>> >Regards,
>> >
>> >
>> >--
>> >Michael Mráka
>> >System Management Engineering, Red Hat
>> >
>> >_______________________________________________
>> >Spacewalk-list mailing list
>> >Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
>> >https://www.redhat.com/mailman/listinfo/spacewalk-list<
>> https://emea01.safelinks.protection.outlook.com/?url=
>> https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%
>> 2Fspacewalk-list&data=02%7C01%7CPaschedag.Netlution%40swr.de%
>> 7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81
>> f62d%7C0%7C0%7C636358903948658518&sdata=8wAw4%
>> 2BnmfT7kGNPIyFYDK64dBe3zs5vDIr8YFI%2BmS7c%3D&reserved=0>
>> >
>> >
>> >_______________________________________________
>> >Spacewalk-list mailing list
>> >Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
>> >https://www.redhat.com/mailman/listinfo/spacewalk-list<
>> https://emea01.safelinks.protection.outlook.com/?url=
>> https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%
>> 2Fspacewalk-list&data=02%7C01%7CPaschedag.Netlution%40swr.de%
>> 7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81
>> f62d%7C0%7C0%7C636358903948658518&sdata=8wAw4%
>> 2BnmfT7kGNPIyFYDK64dBe3zs5vDIr8YFI%2BmS7c%3D&reserved=0>
>> >
>> >
>> >
>> >
>> >Please consider the environment before printing this email.
>>
>>*********************************************************************
>> >This communication may contain information which is confidential,
>> >personal and/or privileged. It is for the exclusive use of the
>intended
>> >recipient(s).
>> >If you are not the intended recipient(s), please note that any
>> >distribution, forwarding, copying or use of this communication or
>the
>> >information in it is strictly prohibited. If you have received it in
>> >error please contact the sender immediately by return e-mail. Please
>> >then delete the e-mail and any copies of it and do not use or
>disclose
>> >its contents to any person.
>> >Any personal views expressed in this e-mail are those of the
>individual
>> >sender and the company does not endorse or accept responsibility for
>> >them. Prior to taking any action based upon this e-mail message, you
>> >should seek appropriate confirmation of its authenticity.
>> >This message has been checked for viruses on behalf of the company.
>>
>>*********************************************************************
>> >
>> >
>> >
>> >
>> >Please consider the environment before printing this email.
>>
>>*********************************************************************
>> >This communication may contain information which is confidential,
>> >personal and/or privileged. It is for the exclusive use of the
>intended
>> >recipient(s).
>> >If you are not the intended recipient(s), please note that any
>> >distribution, forwarding, copying or use of this communication or
>the
>> >information in it is strictly prohibited. If you have received it in
>> >error please contact the sender immediately by return e-mail. Please
>> >then delete the e-mail and any copies of it and do not use or
>disclose
>> >its contents to any person.
>> >Any personal views expressed in this e-mail are those of the
>individual
>> >sender and the company does not endorse or accept responsibility for
>> >them. Prior to taking any action based upon this e-mail message, you
>> >should seek appropriate confirmation of its authenticity.
>> >This message has been checked for viruses on behalf of the company.
>>
>>*********************************************************************
>> >
>> >
>> >
>> >
>> >Please consider the environment before printing this email.
>>
>>*********************************************************************
>> >This communication may contain information which is confidential,
>> >personal and/or privileged. It is for the exclusive use of the
>intended
>> >recipient(s).
>> >If you are not the intended recipient(s), please note that any
>> >distribution, forwarding, copying or use of this communication or
>the
>> >information in it is strictly prohibited. If you have received it in
>> >error please contact the sender immediately by return e-mail. Please
>> >then delete the e-mail and any copies of it and do not use or
>disclose
>> >its contents to any person.
>> >Any personal views expressed in this e-mail are those of the
>individual
>> >sender and the company does not endorse or accept responsibility for
>> >them. Prior to taking any action based upon this e-mail message, you
>> >should seek appropriate confirmation of its authenticity.
>> >This message has been checked for viruses on behalf of the company.
>>
>>*********************************************************************
>>
>> But just another information. When you get a SSL error from the
>client,
>> then you have to check the SSL certificate on the "webserver"!
>>
>> Robert
>>
Just on my way to the office... So filenames might not fit exactly...
It is totally legal to use self-signed certs. This is what SW does when it gets installed. It creates a local CA and also created a local server cert (from this CA) that is used by the SW server.
Your only problem is... Your clients cannot build a "trust chain" to your SW server because the server cert is not signed by a "trusted CA".
You have to deploy the generated CA from SW (should live at /var/www/html/pub/RHN-TRUSTED-SSL-CERT.
This is your CA cert. Copy this to your clients to /etc/sysconfig/rhn. Same name. Check the name on the client within /etc/sysconfig/rhn/up2date
If this is done, the tool "rhn_check" should work already.
To get you repo tool working (yum, zypper, apt), you also have to put the CA in the trusted SSL CA store of these tools.
For SLES11 with zypper, you could create a symlink within /etc/ssl/certs pointing to /etc/sysconfig/rhn/RHN-TRUSTED-SSL-CERT. make sure, the link name ends with ".pem". Then run "c_rehash" to rebuild the CA DB.
Good luck.
Robert
More information about the Spacewalk-list
mailing list