[Spacewalk-list] Help with client connection to Spacewalk Proxy via SSL with CA signed cert

William Clark majorgearhead at gmail.com
Fri Aug 12 22:30:14 UTC 2011 

I run this topo due to the fact that my master is on a non-routable network that is firewalled off, and it is much easier for me to punch holes for the 2 proxies (each at different sites).

What I did was setup my master server with a CA signed cert.  There was quite a bit of manual config needed to make this work.  I then set up the proxy servers to connect to the master over ssl.  To do this I had to include the CA's certificate chain in my newly created cert file.  The last part was the fact that the proxies web interfaces had self signed ssl certs.  Because the hosts certificate chain contained the CA cert from the CA I used to sign all of the other certs, it did not recognize the self signed web certs.  Changing out the self signed apache certs on the proxies with CA signed certs and restarting the apache servers made it so I can connect a client to the proxy with ssl.  This also means I have ssl from the start of the connection all the way to the end with the master.

William Clark

On Aug 12, 2011, at 1:03 PM, Walid wrote:

> Dear William,
> 
> May I ask why you are using such topology spwalk + 2 proxy ? and do you mean the ss.csr from proxis signed by the CA from the master space walk?
> 
> kind regards
> 
> Walid
> 
> On 12 August 2011 21:44, William Clark <majorgearhead at gmail.com> wrote:
> I solved the issue.  I took the csr in /etc/httpd/conf/ssl.csr and used that to get a signed cert from my CA.  I then took the resultant cert and moved it to /etc/httpd/conf/ssl.crt/server.crt.  I then restarted httpd and I no longer get ssl errors on clients trying to connect to the proxy with ssl.  Nothing else broke in the process so I believe I am good to go.
> 
> William Clark
> 
> On Aug 12, 2011, at 11:07 AM, William Clark wrote:
> 
> > Here is some background on the system I am running.  I currently have a single spacewalk server running SW1.4 and I have 2 proxy servers running proxy 1.4.
> >
> > On my spacewalk server I have a CA signed cert and set everything up for that.  I connected the proxy's and they communicate to the master server over ssl with no issues.  The problem comes in when I try to connect via SSL from a client to one of the proxy servers.  I get SSL certificate errors.  I suspect that this may have something to do with the fact that I have a CA signed cert on the master but not the proxy's.  So when the proxy's try and validate their self signed certs against the CA chain I have from a valid CA they cannot validate their certs.
> >
> > Question is, is there a way to get CA signed certs in place on the proxy's so that I can connect to the proxy's from clients via SSL?
> >
> > William Clark
> >
> 
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20110812/577f2360/attachment.htm>

More information about the Spacewalk-list mailing list