Hi Daryl, how many certificates are stored within <tt>RHN-ORG-TRUSTED-SSL-CERT</tt>? Only one? You said, the "curl" command with "--cacert" set to point to the RHN-ORG... file and setting "--capath none" worked, So we really have to check the links within /etc/ssl/certs And you are NOT using intermediate certificates? Please verify, that the name of the link in /etc/ssl/certs pointing to your RHN-ORG file is the same value as the "subject_hash" of your CA, stored within the RHN-ORG file Get subject_hash from certificate openssl x509 -in /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT -noout -subject_hash This returns the hash. Within /etc/ssl/certs, there should now be a symlink with the "hash value" + ".0" appended, pointing to the RHN-ORG file In my case 83475fa3 ls -l /etc/ssl/certs | grep RHN Should show something like this ....83475fa3.0 -> RHN-ORG-TRUSTED-SSL-CERT.PEM If this is not the case, then this is the error. Regards, Robert Mit freundlichen Grüßen Robert Paschedag Netlution GmbH Landteilstr. 33 68163 Mannheim im Auftrag des SWR Südwestrundfunk Informations- und Kommunikationssysteme Neckarstraße 230 70190 Stuttgart Telefon +49 (0)711 /929-12654 oder Telefon +49 (0)711 /929-13714 paschedag.netlution@swr.de swr.de Von: Daryl Rose <darylrose@outlook.com> An: "robert.paschedag@web.de" <robert.paschedag@web.de>, "spacewalk-list@redhat.com" <spacewalk-list@redhat.com> Datum: 11.09.2015 14:56 Betreff: Re: [Spacewalk-list] How to use a signed certificate? Gesendet von: spacewalk-list-bounces@redhat.com <hr noshade> <tt>Robert, I finally had a chance to get back to this. You said to look to see if Apache is deploying the SSLCertificateChainFile certificate chain. SSLCertificateChainFile was commented out, but I'm not sure what I need to put in for the Certificate Chain File. However, I looked at my demo server, and the SSLCertificateChainFile was also commented out in the ssl.conf file. But, SLES works perfectly with that server. I moved one of my SLES machine to the demo server, and it accepts the certificate just fine. So, I'm now wondering if this issue is something else. Thanks Daryl ________________________________________ From: spacewalk-list-bounces@redhat.com <spacewalk-list-bounces@redhat.com> on behalf of Robert Paschedag <robert.paschedag@web.de> Sent: Wednesday, September 9, 2015 11:25 AM To: spacewalk-list@redhat.com Subject: Re: [Spacewalk-list] How to use a signed certificate? Hi Daryl, looks good. But try the following. Put a testfile on the spacewalk "pub" folder...normally "/srv/www/html/pub" Then try to manually grab the file with "curl", only using "your" CA file curl -vvv -1 --cacert /etc/ssl/certs/RHN... --capath none https://<yourserver>/pub/<testfile> If this works, try same without setting "--cacert and --capath". If this does NOT work, something went wrong running "c_rehash". If both do NOT work, then maybe the apache server is not "deploying" the complete certificate chain. Look for "apache"s "SSLCertificateChainFile" in /etc/http/conf.d/ssl.conf Regards, Robert Am 09.09.2015 um 15:12 schrieb Daryl Rose: > Avi, > > Here are the steps for registering SLES from the Spacewalk documentation: > > </tt><a href=https://fedorahosted.org/spacewalk/wiki/RegisteringClients#SUSE><tt>https://fedorahosted.org/spacewalk/wiki/RegisteringClients#SUSE</tt></a><tt> > > However, the steps are not completely accurate for SLES 11 SP3. A few changes need to be made. > > 1. Changes to the spacewalk-tools URL. > zypper ar -f </tt><a href=http://download.opensuse.org/repositories/systemsmanagement:/spacewalk:/2.3/SLE_11_SP3/><tt>http://download.opensuse.org/repositories/systemsmanagement:/spacewalk:/2.3/SLE_11_SP3/</tt></a><tt> spacewalk-tools > > 2. Step two applies to SLES 12, not to SLES 11. (I learned about that from this forum). These are the modified steps: > a. wget </tt><a href="http://corp-spwalk-prod01.dtn.com/pub/RHN-ORG-TRUSTED-SSL-CERT"><tt>http://corp-spwalk-prod01.dtn.com/pub/RHN-ORG-TRUSTED-SSL-CERT</tt></a><tt> -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT > b. cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem > c. c_rehash /etc/ssl/certs/ > > After running the c_rehash, I get the following: > > lrwxrwxrwx 1 root root 28 Sep 9 08:05 dcfb5746.0 -> RHN-ORG-TRUSTED-SSL-CERT.pem > > I'm assuming that this is what I should see. > > These are the same steps that I used in my testing. Is there something wrong with the cert? > > Thanks > > Daryl > > ________________________________________ > From: spacewalk-list-bounces@redhat.com <spacewalk-list-bounces@redhat.com> on behalf of Avi Miller <avi.miller@oracle.com> > Sent: Tuesday, September 8, 2015 3:39 PM > To: spacewalk-list@redhat.com > Subject: Re: [Spacewalk-list] How to use a signed certificate? > > Hey Daryl, > >> On 9 Sep 2015, at 6:06 am, Daryl Rose <darylrose@outlook.com> wrote: >> >> I decided to move my SW environment into production, so I stood up a brand new SW server and redid the signed certificate according to your documentation. Everything works fine with the RHEL servers that I've attached, but I'm having certificate issues with SLES. > > I don't think we ever tested this with SLES/OpenSUSE as that's not covered under standard Oracle support. I've not even looked into how you register a SLES system to Spacewalk, so I can't comment on how that process would need to be updated for a 3rd-party certificate. > > However, this seems like a verification issue, so I would double-check that you're using the correct CA certificate (RHN-ORG-TRUSTED-SSL-CERT) and that it has the entire CA chain contained. Otherwise, the client would not be able to verify the certificate provided by the server. > > Can you point me towards the appropriate documentation that outlines the SLES registration process to Spacewalk so I can review? > > Thanks, > Avi > > -- > Oracle <</tt><a href=http://www.oracle.com/><tt>http://www.oracle.com</tt></a><tt>> > Avi Miller | Product Management Director | +61 (3) 8616 3496 > Oracle Linux and Virtualization > 417 St Kilda Road, Melbourne, Victoria 3004 Australia > > > _______________________________________________ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > </tt><a href="https://www.redhat.com/mailman/listinfo/spacewalk-list"><tt>https://www.redhat.com/mailman/listinfo/spacewalk-list</tt></a><tt> > > _______________________________________________ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > </tt><a href="https://www.redhat.com/mailman/listinfo/spacewalk-list"><tt>https://www.redhat.com/mailman/listinfo/spacewalk-list</tt></a><tt> > _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com </tt><a href="https://www.redhat.com/mailman/listinfo/spacewalk-list"><tt>https://www.redhat.com/mailman/listinfo/spacewalk-list</tt></a><tt> _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com </tt><a href="https://www.redhat.com/mailman/listinfo/spacewalk-list"><tt>https://www.redhat.com/mailman/listinfo/spacewalk-list</tt></a><tt> </tt>