[Spacewalk-list] "Peer's certificate issuer has been marked as not trusted by the user."

Vipul Sharma (DevOps) sharma.vipul at in.g4s.com
Thu Nov 2 07:47:00 UTC 2017 

Hi,

I imported the new keyfile downloaded from Red-Hat -



*gpg: key FD431D51: public key "Red Hat, Inc. (release key 2)
<security at redhat.com <security at redhat.com>>" importedgpg: Total number
processed: 1gpg:               imported: 1  (RSA: 1)*


But, If we run gpg --list-keys - It shows me 2 different versions of that,
What's that about, Any ideas?





*pub   1024D/F24F1B08 2002-04-23 [expired: 2004-04-22]uid
Red Hat, Inc (Red Hat Network) <rhn-feedback at redhat.com
<rhn-feedback at redhat.com>>pub   4096R/FD431D51
2009-10-22uid                  Red Hat, Inc. (release key 2)
<security at redhat.com <security at redhat.com>>*



Also, I checked ca-bundle.crt, I found no chain for Red-Hat over there -

Thanks
Vipul

On Thu, Nov 2, 2017 at 12:58 PM, Robert Paschedag <robert.paschedag at web.de>
wrote:

> Am 2. November 2017 08:24:10 MEZ schrieb "Vipul Sharma (DevOps)" <
> sharma.vipul at in.g4s.com>:
> >I have tested 2 different URL'S -
> >
> >*This one was was from your article -*
> >
> >curl -v https://cdn.redhat.com/content/dist/rhel/server/7/
> >7Server/x86_64/os/repodata/repomd.xml
> >* About to connect() to cdn.redhat.com port 443 (#0)
> >*   Trying 2.16.30.83...
> >* Connected to cdn.redhat.com (2.16.30.83) port 443 (#0)
> >* Initializing NSS with certpath: sql:/etc/pki/nssdb
> >*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> >  CApath: none
> >* Server certificate:
> >*       subject: CN=cdn.redhat.com,OU=Red Hat Network,O=Red
> >Hat,L=Raleigh,ST=North Carolina,C=US
> >*       start date: May 14 19:48:02 2014 GMT
> >*       expire date: May 11 19:48:02 2024 GMT
> >*       common name: cdn.redhat.com
> >*       issuer: E=ca-support at redhat.com,CN=Red Hat Entitlement
> >Operations
> >Authority,OU=Red Hat Network,O="Red Hat, Inc.",ST=North Carolina,C=US
> >* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
> >* Peer's certificate issuer has been marked as not trusted by the user.
> >* Closing connection 0
> >curl: (60) Peer's certificate issuer has been marked as not trusted by
> >the
> >user.
> >
> >-----------------------------------------------------------
> >
> >*This is from Google-Cloud - Pretty much the same result -*
> >
> >curl -v https://cds.rhel.updates.googlecloud.com/pulp/mirror/
> >content/dist/rhel/rhui/server/7/7Server/x86_64/os/repodata/repomd.xml
> >* About to connect() to cds.rhel.updates.googlecloud.com port 443 (#0)
> >*   Trying 23.236.57.179...
> >* Connected to cds.rhel.updates.googlecloud.com (23.236.57.179) port
> >443
> >(#0)
> >* Initializing NSS with certpath: sql:/etc/pki/nssdb
> >*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> >  CApath: none
> >* Server certificate:
> >*       subject:
> >CN=cds.rhel.updates.googlecloud.com,OU=SomeOrgUnit,O=SomeOrg,ST=North
> >Carolina,C=US
> >*       start date: Sep 23 05:18:30 2017 GMT
> >*       expire date: Sep 25 05:18:30 2037 GMT
> >*       common name: cds.rhel.updates.googlecloud.com
> >*       issuer: CN=RHUI Certificate
> >Authority,OU=SomeOrgUnit,O=SomeOrg,L=Raleigh,ST=North
> >Carolina,C=US
> >* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
> >* Peer's certificate issuer has been marked as not trusted by the user.
> >* Closing connection 0
> >curl: (60) Peer's certificate issuer has been marked as not trusted by
> >the
> >user.
> >
> >Thanks
> >
> >On Thu, Nov 2, 2017 at 12:36 PM, Robert Paschedag
> ><robert.paschedag at web.de>
> >wrote:
> >
> >> Am 2. November 2017 07:29:16 MEZ schrieb "Vipul Sharma (DevOps)" <
> >> sharma.vipul at in.g4s.com>:
> >> >In spacewalk, I had to manually create this file -->*
> >> >file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release*, & then
> >copy/pasted
> >> >the
> >> >KEY from RHEL server to this location in Spacewalk server.
> >> >
> >> >Some Doubts :-
> >> >
> >> >Do this requires importing this file ??
> >> >
> >> >I'm running spacewalk without CA certified certificate, Does that
> >> >impact
> >> >the overall config for RHEL Repo in Spacewalk.
> >> >
> >> >Thanks
> >> >Vipul
> >> >
> >> >On Thu, Nov 2, 2017 at 11:49 AM, Robert Paschedag
> >> ><robert.paschedag at web.de>
> >> >wrote:
> >> >
> >> >> Am 2. November 2017 05:13:12 MEZ schrieb "Vipul Sharma (DevOps)" <
> >> >> sharma.vipul at in.g4s.com>:
> >> >> >Hi Michael,
> >> >> >
> >> >> >We are using registered system through 'Google-Cloud' - I have
> >> >copied
> >> >> >everything very carefully from RHEL.repo into spacewalk,
> >Including
> >> >all
> >> >> >the
> >> >> >.cert & .pem files.
> >> >> >
> >> >> >Just unable to figure out what's wrong with it for the time being
> >-
> >> >> >
> >> >> >Thanks
> >> >> >
> >> >> >On Wed, Nov 1, 2017 at 5:36 PM, Michael Mraka
> >> >> ><michael.mraka at redhat.com>
> >> >> >wrote:
> >> >> >
> >> >> >> Vipul Sharma (DevOps):
> >> >> >> > Hi Robert,
> >> >> >> >
> >> >> >> > I need your 'HELP' - I went according to your configuration
> >for
> >> >> >> downloading
> >> >> >> > RHEL repos into 'Spacewalk'  - But, I'm facing some issues
> >while
> >> >> >doing
> >> >> >> > that, Can you be humble enough to take a look into my issue
> >--
> >> >> >> >
> >> >> >> > *This is the error -*
> >> >> >> >
> >> >> >> > 10:01:26 | Channel: rhel-base
> >> >> >> > 10:01:26 ======================================
> >> >> >> > 10:01:26 Sync of channel started.
> >> >> >> > 10:01:26 Repo URL:
> >> >> >> >
> >> >https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
> >> >> >> > 10:01:27 ERROR: failure: repodata/repomd.xml from
> >> >> >> > content_dist_rhel_server_7_7Server_x86_64_os: [Errno 256] No
> >> >more
> >> >> >> mirrors
> >> >> >> > to try.
> >> >> >> > *https://cdn.redhat.com/content/dist/rhel/server/7/
> >> >> >> 7Server/x86_64/os/repodata/repomd.xml
> >> >> >> > <https://cdn.redhat.com/content/dist/rhel/server/7/
> >> >> >> 7Server/x86_64/os/repodata/repomd.xml>:
> >> >> >> > [Errno 14] curl#60 - "Peer's certificate issuer has been
> >marked
> >> >as
> >> >> >not
> >> >> >> > trusted by the user."*
> >> >> >> > 10:01:27 Sync of channel completed in 0:00:00.
> >> >> >> > 10:01:27 Total time: 0:00:00
> >> >> >> >
> >> >> >> > ---------------------------------------------
> >> >> >> >
> >> >> >> > My Spacewalk server is running unauthorized CA-CERT, Is this
> >> >> >because of
> >> >> >> > that ?
> >> >> >>
> >> >> >> You need a proper Red Hat Subscription to be able to download
> >Red
> >> >Hat
> >> >> >> content from CDN.
> >> >> >>
> >> >> >> Regards,
> >> >> >>
> >> >> >> --
> >> >> >> Michael Mráka
> >> >> >> System Management Engineering, Red Hat
> >> >> >>
> >> >> >> _______________________________________________
> >> >> >> Spacewalk-list mailing list
> >> >> >> Spacewalk-list at redhat.com
> >> >> >> https://www.redhat.com/mailman/listinfo/spacewalk-list
> >> >>
> >> >> For me, this sounds as one of the "signing" CA of RedHat's servers
> >is
> >> >not
> >> >> trusted by "you".
> >> >>
> >> >> Robert
> >> >>
> >>
> >> Please try to curl the URL.
> >>
> >> curl -vv -1 https://....
> >>
> >> See the same error?
> >>
> >> Robert
> >>
>
> You have to get the "issuer" certs from RedHat (download from web?) and
> add it to your trusted CA store
> Robert
>

-- 

Please consider the environment before printing this email.
*********************************************************************
This communication may contain information which is confidential, personal 
and/or privileged. It is for the exclusive use of the intended recipient(s).
If you are not the intended recipient(s), please note that any 
distribution, forwarding, copying or use of this communication or the 
information in it is strictly prohibited. If you have received it in error 
please contact the sender immediately by return e-mail. Please then delete 
the e-mail and any copies of it and do not use or disclose its contents to 
any person.
Any personal views expressed in this e-mail are those of the individual 
sender and the company does not endorse or accept responsibility for them. 
Prior to taking any action based upon this e-mail message, you should seek 
appropriate confirmation of its authenticity.
This message has been checked for viruses on behalf of the company.
*********************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20171102/1b6853e0/attachment.htm>

More information about the Spacewalk-list mailing list