[Spacewalk-list] IPSCA SSL Certificate installation on .6?

Milan Zazrivec mzazrivec at redhat.com
Wed Sep 9 14:29:05 UTC 2009 

On Wednesday 09 September 2009 16:03:49 Greg Fuller wrote:
> I have a valid SSL certificate created from a trusted CA
> (certs.ipsca.com -- .EDU's get free certs from there).  I'm trying to
> install this SSL certificate into spacewalk .6.  Basically, all I'm
> looking to do is to use the trusted SSL cert for the web interfaces of
> spacewalk so we don't get the error from IE or Firefox saying the
> certificate is not valid (the default self-signed one).
>
> The only instructions I've found on how to do this is at this site:
>
> http://www.unf**kablelinux.com/2008/07/spacewalk-and-avoiding-self-signe
> d-certificates/
>
> (replace the *'s to get the real URL -- I wanted the message to make it
> past spam filters!)
>
> I've followed those directions step by step and I can get our issued
> IPSCA certificate to show up in the web browser, but the browser still
> states it is not a trusted authority (IPSCA *IS* in the IE and Firefox
> trusted authorities).
>
> I'm still able to login to the web interface, but I did get errors when
> restarted spacewalk:
>
> Starting osa-dispatcher: RHN 26627 2009/09/09 09:45:38 -04:00:
> ('Traceback caught:',)
> RHN 26627 2009/09/09 09:45:38 -04:00: ('Traceback (most recent call
> last):\n  File "/usr/share/rhn/osad/jabber_lib.py", line 617, in
> connect\n    ssl.do_handshake()\nError: [(\'SSL routines\',
> \'SSL3_GET_SERVER_CERTIFICATE\', \'certificate verify failed\')]\n',)
>                                                            [FAILED]
>
>
> I get the following that shows up in my syslogs during startup of
> spacewalk:
>
> Sep  9 09:45:38 spacewalk-prod-01 jabberd/c2s[26522]: [7] [127.0.0.1,
> port=52800] error: SSL handshake error (error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca)
>
>
> Any idea what might be going on?  I've already installed the trusted CA
> and intermediate certs per the directions on that site above.

The directions you are refering to tell you to copy server.pem
to /etc/jabberd, which is not what jabberd config files point
to by default (not the config files that come with Spacewalk at
least).

You may want to check pemfile directives in /etc/jabberd/c2s.xml
I think it's going to point to /etc/pki/spacewalk/jabberd/server.pem

-MZ

More information about the Spacewalk-list mailing list