[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Spacewalk-list] "Peer's certificate issuer has been marked as not trusted by the user."



Hi,

I imported the new keyfile downloaded from Red-Hat -

gpg: key FD431D51: public key "Red Hat, Inc. (release key 2) <security redhat com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)


But, If we run gpg --list-keys - It shows me 2 different versions of that, What's that about, Any ideas?

pub   1024D/F24F1B08 2002-04-23 [expired: 2004-04-22]
uid                  Red Hat, Inc (Red Hat Network) <rhn-feedback redhat com>

pub   4096R/FD431D51 2009-10-22
uid                  Red Hat, Inc. (release key 2) <security redhat com>



Also, I checked ca-bundle.crt, I found no chain for Red-Hat over there -

Thanks
Vipul

On Thu, Nov 2, 2017 at 12:58 PM, Robert Paschedag <robert paschedag web de> wrote:
Am 2. November 2017 08:24:10 MEZ schrieb "Vipul Sharma (DevOps)" <sharma vipul in g4s com>:
>I have tested 2 different URL'S -
>
>*This one was was from your article -*
>
>curl -v https://cdn.redhat.com/content/dist/rhel/server/7/
>7Server/x86_64/os/repodata/repomd.xml
>* About to connect() to cdn.redhat.com port 443 (#0)
>*   Trying 2.16.30.83...
>* Connected to cdn.redhat.com (2.16.30.83) port 443 (#0)
>* Initializing NSS with certpath: sql:/etc/pki/nssdb
>*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>  CApath: none
>* Server certificate:
>*       subject: CN=cdn.redhat.com,OU=Red Hat Network,O=Red
>Hat,L=Raleigh,ST=North Carolina,C=US
>*       start date: May 14 19:48:02 2014 GMT
>*       expire date: May 11 19:48:02 2024 GMT
>*       common name: cdn.redhat.com
>*       issuer: E=ca-support redhat com,CN=Red Hat Entitlement
>Operations
>Authority,OU=Red Hat Network,O="Red Hat, Inc.",ST=North Carolina,C=US
>* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
>* Peer's certificate issuer has been marked as not trusted by the user.
>* Closing connection 0
>curl: (60) Peer's certificate issuer has been marked as not trusted by
>the
>user.
>
>-----------------------------------------------------------
>
>*This is from Google-Cloud - Pretty much the same result -*
>
>curl -v https://cds.rhel.updates.googlecloud.com/pulp/mirror/
>content/dist/rhel/rhui/server/7/7Server/x86_64/os/repodata/repomd.xml
>* About to connect() to cds.rhel.updates.googlecloud.com port 443 (#0)
>*   Trying 23.236.57.179...
>* Connected to cds.rhel.updates.googlecloud.com (23.236.57.179) port
>443
>(#0)
>* Initializing NSS with certpath: sql:/etc/pki/nssdb
>*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>  CApath: none
>* Server certificate:
>*       subject:
>CN=cds.rhel.updates.googlecloud.com,OU=SomeOrgUnit,O=SomeOrg,ST=North
>Carolina,C=US
>*       start date: Sep 23 05:18:30 2017 GMT
>*       expire date: Sep 25 05:18:30 2037 GMT
>*       common name: cds.rhel.updates.googlecloud.com
>*       issuer: CN=RHUI Certificate
>Authority,OU=SomeOrgUnit,O=SomeOrg,L=Raleigh,ST=North
>Carolina,C=US
>* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
>* Peer's certificate issuer has been marked as not trusted by the user.
>* Closing connection 0
>curl: (60) Peer's certificate issuer has been marked as not trusted by
>the
>user.
>
>Thanks
>
>On Thu, Nov 2, 2017 at 12:36 PM, Robert Paschedag
><robert paschedag web de>
>wrote:
>
>> Am 2. November 2017 07:29:16 MEZ schrieb "Vipul Sharma (DevOps)" <
>> sharma vipul in g4s com>:
>> >In spacewalk, I had to manually create this file -->*
>> >file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release*, & then
>copy/pasted
>> >the
>> >KEY from RHEL server to this location in Spacewalk server.
>> >
>> >Some Doubts :-
>> >
>> >Do this requires importing this file ??
>> >
>> >I'm running spacewalk without CA certified certificate, Does that
>> >impact
>> >the overall config for RHEL Repo in Spacewalk.
>> >
>> >Thanks
>> >Vipul
>> >
>> >On Thu, Nov 2, 2017 at 11:49 AM, Robert Paschedag
>> ><robert paschedag web de>
>> >wrote:
>> >
>> >> Am 2. November 2017 05:13:12 MEZ schrieb "Vipul Sharma (DevOps)" <
>> >> sharma vipul in g4s com>:
>> >> >Hi Michael,
>> >> >
>> >> >We are using registered system through 'Google-Cloud' - I have
>> >copied
>> >> >everything very carefully from RHEL.repo into spacewalk,
>Including
>> >all
>> >> >the
>> >> >.cert & .pem files.
>> >> >
>> >> >Just unable to figure out what's wrong with it for the time being
>-
>> >> >
>> >> >Thanks
>> >> >
>> >> >On Wed, Nov 1, 2017 at 5:36 PM, Michael Mraka
>> >> ><michael mraka redhat com>
>> >> >wrote:
>> >> >
>> >> >> Vipul Sharma (DevOps):
>> >> >> > Hi Robert,
>> >> >> >
>> >> >> > I need your 'HELP' - I went according to your configuration
>for
>> >> >> downloading
>> >> >> > RHEL repos into 'Spacewalk'  - But, I'm facing some issues
>while
>> >> >doing
>> >> >> > that, Can you be humble enough to take a look into my issue
>--
>> >> >> >
>> >> >> > *This is the error -*
>> >> >> >
>> >> >> > 10:01:26 | Channel: rhel-base
>> >> >> > 10:01:26 ======================================
>> >> >> > 10:01:26 Sync of channel started.
>> >> >> > 10:01:26 Repo URL:
>> >> >> >
>> >https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>> >> >> > 10:01:27 ERROR: failure: repodata/repomd.xml from
>> >> >> > content_dist_rhel_server_7_7Server_x86_64_os: [Errno 256] No
>> >more
>> >> >> mirrors
>> >> >> > to try.
>> >> >> > *https://cdn.redhat.com/content/dist/rhel/server/7/
>> >> >> 7Server/x86_64/os/repodata/repomd.xml
>> >> >> > <https://cdn.redhat.com/content/dist/rhel/server/7/
>> >> >> 7Server/x86_64/os/repodata/repomd.xml>:
>> >> >> > [Errno 14] curl#60 - "Peer's certificate issuer has been
>marked
>> >as
>> >> >not
>> >> >> > trusted by the user."*
>> >> >> > 10:01:27 Sync of channel completed in 0:00:00.
>> >> >> > 10:01:27 Total time: 0:00:00
>> >> >> >
>> >> >> > ---------------------------------------------
>> >> >> >
>> >> >> > My Spacewalk server is running unauthorized CA-CERT, Is this
>> >> >because of
>> >> >> > that ?
>> >> >>
>> >> >> You need a proper Red Hat Subscription to be able to download
>Red
>> >Hat
>> >> >> content from CDN.
>> >> >>
>> >> >> Regards,
>> >> >>
>> >> >> --
>> >> >> Michael Mráka
>> >> >> System Management Engineering, Red Hat
>> >> >>
>> >> >> _______________________________________________
>> >> >> Spacewalk-list mailing list
>> >> >> Spacewalk-list redhat com
>> >> >> https://www.redhat.com/mailman/listinfo/spacewalk-list
>> >>
>> >> For me, this sounds as one of the "signing" CA of RedHat's servers
>is
>> >not
>> >> trusted by "you".
>> >>
>> >> Robert
>> >>
>>
>> Please try to curl the URL.
>>
>> curl -vv -1 https://....
>>
>> See the same error?
>>
>> Robert
>>

You have to get the "issuer" certs from RedHat (download from web?) and add it to your trusted CA store
Robert



Please consider the environment before printing this email.
*********************************************************************
This communication may contain information which is confidential, personal and/or privileged. It is for the exclusive use of the intended recipient(s).
If you are not the intended recipient(s), please note that any distribution, forwarding, copying or use of this communication or the information in it is strictly prohibited. If you have received it in error please contact the sender immediately by return e-mail. Please then delete the e-mail and any copies of it and do not use or disclose its contents to any person.
Any personal views expressed in this e-mail are those of the individual sender and the company does not endorse or accept responsibility for them. Prior to taking any action based upon this e-mail message, you should seek appropriate confirmation of its authenticity.
This message has been checked for viruses on behalf of the company.
*********************************************************************



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]