[Spacewalk-list] More Spacewalk 26 Certificate Problems....can't get 3rd party cert to work with osa-dispatcher and jabber

Wilkinson, Matthew MatthewWilkinson at alliantenergy.com
Wed Jun 7 17:46:06 UTC 2017


You DO have to build a new server.pem and put it in place for Jabber.

--Matthew Wilkinson


-----Original Message-----
From: Wilkinson, Matthew 
Sent: Wednesday, June 07, 2017 12:45
To: spacewalk-list at redhat.com
Subject: RE: [Spacewalk-list] More Spacewalk 26 Certificate Problems....can't get 3rd party cert to work with osa-dispatcher and jabber

I did this recently on my SW 2.6 server. You should follow Red Hat's documentation on using signed SSL certs. Don't use Oracle's documentation. 

I used these two website and figured out how to get it working. Once you get the server SSL working you have to redistribute the spacewalk cert to all of the clients. 

https://access.redhat.com/solutions/10809

https://access.redhat.com/solutions/15753



--Matthew Wilkinson

-----Original Message-----
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Eric
Sent: Wednesday, June 07, 2017 11:59
To: spacewalk-list at redhat.com
Subject: [Spacewalk-list] More Spacewalk 26 Certificate Problems....can't get 3rd party cert to work with osa-dispatcher and jabber

[This is an external email. Be cautious with links, attachments and responses.]

**********************************************************************
I've really beat myself into the ground with this for 3 days now and am stumped.

Situation:  I've been running two Spacewalk servers for a while now, brought them from 2.4 to 2.6.

I've just built a new one to move everything to, running 2.6.  Vanilla build, tested and working, bootstrapped clients, pushed configurations, osad and osa- dispatcher running fine.  This is a clean 2.6 install, not an upgrade.

 Company policy recently changed and no more self-signed certs allowed.

Got my new certs.  There are multiple conflicting documents on doing this.  
Like serious discrepancies.  Some have you replace/change the jabber server.pem files, and some don't address it at all.

I primarily used these two docs to perform the install (I could not find a 2.6 specific doc):

Oracle doc for 2.2
https://docs.oracle.com/cd/E37670_01/E64575/html/swk22-replace-cert.html

Redhat Doc (Dated April 2017, for Satellite 5.4 and later -> should cover 2.6 

https://access.redhat.com/solutions/15753


The Oracle doc and most of the other docs do not address the server.pem file for Jabber at all, just has you clear the jabber db and restart.

The Redhat doc says this:

# cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem  # cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem
  # cp /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem



So now that we have the background....I'm getting a TLS error on start up:

Starting osa-dispatcher: Spacewalk 14899 2017/06/07 09:37:27 -07:00: ('Server does not support TLS - <starttls /> not in <features /> stanza',)

Searching this list, and googling leads me to this Red Hat document:

https://access.redhat.com/solutions/24937


Now, that document clearly says that the MD5sums for all of the jabber server.pem files should match........but if you follow the directions in the Redhat guide for setting it up...they cannot match.  I've tried it both ways.....same error.

I've gone through all the other troubleshooting, the CN matches FQDN and all that.


Everything but osa-dispatcher seems to work, the Web UI, I can boostrap clients, I can run a remote command.....but because osad on the clients can't connect, I have to run "rhn_check" to get it to pick up the jobs.

I really hope somebody has some suggestions here.

Also, when I pick up my certificate, I have the following download options.....the cert, the cert WITH private key, the cert WITH CA Chain, or the cert WITH private key and CA Chain.

Now, I took the last, and split them all up into seperate files...the crt, key, and root chain so my install could match the directions...  Excepting dealing with Jabber, most of the docs are pretty similar.  Nothing in any docs anywhere addresses what I do with the private key.  

I have cleaned up the server, and reinstalled 2.6 to a pristine state 4 or 5 times now and tried various different variations, all with the same result.  

I know I'm doing something wrong and I'm sure it's regarding the jabber pem files, but I can NOT figure it out.

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list




More information about the Spacewalk-list mailing list