<html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <style type="text/css" style="display:none"></style> </head><body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> Thank you for your response, Robert. You are correct, the setup created an SSL cert with an incorrect FQDN (the CN is incorrect in the cert) which is now out on about 53 clients who now can not update from spacewalk because of that. And yes, i would like to fix the cert and push it to the 53 clients. The certificate was generated and signed on the same server using the same CA, i get the fact that i dont need to redistribute the CA files, but the RHN-TRUSTED-SSL-CERT file is incorrect., i am not sure how that will work correctly. <div style="color: rgb(33, 33, 33);"> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="divRplyFwdMsg" dir="ltr">From: spacewalk-list-bounces@redhat.com <spacewalk-list-bounces@redhat.com> on behalf of Robert Paschedag <robert.paschedag@web.de> Sent: Friday, September 27, 2019 2:23 PM To: spacewalk-list@redhat.com Subject: [BULK]Re: [Spacewalk-list] [BULK][EXT] Re: Regenerating Trusted Cert <div> </div> </div> <div>If I understand it right, the name of your server within your certificate was wrong and all the clients are running with the wrong fqdn name. Right? So you know want to fix this and created a new certificate with the Fqdn fixed. Right? Has this certificate been generated (and signed) by the same CA? Then you don't have to redistribute the CA file and don't need to change the RHN-TRUSTED-SSL-CERT file. The best thing would be, if you created the new certificate with both FQDN names... The wrong old (current) and the new fixed one (as SAN certificate.) All that should be needed then is to put the new certificate in place on the server (within Apache and jabber (xml files) configuration) and set the old FQDN name as ServerAlias within Apache. With this configuration in place, it should work that all clients (old and new) can connect to Spacewalk without getting certificate errors. The new clients should use the new name and you can later fix the name on all old clients within /etc/sysconfig/rhn/up2date and restart "rhnsd" and/or "osad" (maybe also within osad configuration file). EDIT: Hmm... Even if that all works, I think you would have problems with "osad". I think a temporary configuration of jabber (for 2 server names) would be too complicated. So if you don't mind to lose osad connectivity on the old clients, I would try that. Backup all your configuration files or - when running virtually - create a snapshot before you start. Robert ⁣sent from my mobile device -------- Originale Nachricht -------- Von: "Weiner, Michael" <weinerm@ccf.org> Gesendet: Fri Sep 27 19:20:49 GMT+02:00 2019 An: "spacewalk-list@redhat.com" <spacewalk-list@redhat.com> Betreff: Re: [Spacewalk-list] [BULK][EXT] Re: Regenerating Trusted Cert Thank you for your response, Dean. I didnt do the let's encrypt cert, will that be a problem? ________________________________ From: spacewalk-list-bounces@redhat.com <spacewalk-list-bounces@redhat.com> on behalf of Peirce, Dean <Dean.Peirce@cengage.com> Sent: Friday, September 27, 2019 12:02 PM To: spacewalk-list@redhat.com Subject: [BULK][EXT] Re: [Spacewalk-list] Regenerating Trusted Cert Hi Michael, I followed the instructions in the link below, when I had to change my cert. I had to work around a couple of the steps, since we use a static ssl certificate, and not a Let's Encrypt cert. Hope this helps. <a href="https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/">https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/</a><<a href="https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/">https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/</a>> -Dean On Sep 27, 2019, at 11:38 AM, Weiner, Michael <weinerm@ccf.org<mailto:weinerm@ccf.org>> wrote: I have a need to regenerate and redistribute the SSL certificate for my instance of spacewalk. When i set it up originally, the FQDN was not correct so the cert is now wrong that got distributed to workstations/servers, and i need to correct it now that the FQDN is correct. I have been googling but i cant seem to find anything specific to my query. I would have assumed there was a script (like the initial install script) that can recreate the cert and RPM. Any assistance would be greatly appreciated. Michael Please consider the environment before printing this e-mail Cleveland Clinic is currently ranked as one of the nation's top hospitals by U.S. News & World Report (2019-2020). Visit us online at <a href="http://www.clevelandclinic.org"> http://www.clevelandclinic.org</a><<a href="http://www.clevelandclinic.org/">http://www.clevelandclinic.org/</a>> for a complete listing of our services, staff and locations. Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you. _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com<mailto:Spacewalk-list@redhat.com> <a href="https://www.redhat.com/mailman/listinfo/spacewalk-list">https://www.redhat.com/mailman/listinfo/spacewalk-list</a><<a href="https://www.redhat.com/mailman/listinfo/spacewalk-list">https://www.redhat.com/mailman/listinfo/spacewalk-list</a>> Please consider the environment before printing this e-mail Cleveland Clinic is currently ranked as the No. 2 hospital in the country by U.S. News & World Report (2017-2018). Visit us online at <a href="http://www.clevelandclinic.org"> http://www.clevelandclinic.org</a> for a complete listing of our services, staff and locations. Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you. ------------------------------------------------------------------------ _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com <a href="https://www.redhat.com/mailman/listinfo/spacewalk-list">https://www.redhat.com/mailman/listinfo/spacewalk-list</a> _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com <a href="https://www.redhat.com/mailman/listinfo/spacewalk-list">https://www.redhat.com/mailman/listinfo/spacewalk-list</a> </div> </div> Please consider the environment before printing this e-mailCleveland Clinic is currently ranked as one of the nation’s top hospitals by U.S. News & World Report (2019-2020). Visit us online at <a href="http://www.clevelandclinic.org" target="_blank">http://www.clevelandclinic.org</a> for a complete listing of our services, staff and locations. Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you.</body></html>