[Spacewalk-list] Spacewalk Signed SSL Certificate - Not Working

jdfire at cox.net jdfire at cox.net
Thu Jun 2 15:19:10 UTC 2011 

Hello List, 

I have determined what my issue is. It seems to be a bug with the OSA-dispatcher service. My signed cert uses x509v3 extensions with Key Usage set to critical, Digital Signature, and Key Encipherment. This configuration breaks OSA-Dispatcher service from verifying my cert. If I were to add Certificate Sign to the Key Usage settings it will accept the certificate. Certificate Sign is for CAs to actually sign certificates based on RFC 5280 http://www.ietf.org/rfc/rfc5280.txt. I will go ahead and open a bug on this issue. If you by chance have any quick resolution to this issue please let me know. Thank you for your time and have a great day!

Kind regards,
JD 


---- jdfire at cox.net wrote: 
> Hello List,
> 
> I just received a signed SSL Certificate and was trying to install the cert into Spacewalk. I was able to get apache and all of that working. The issue I am running into is with osa-dispatcher. It seems that osa-dispatcher is having problems verifying the cert. Below you will find the commands I have performed thus far in order to try and get it working. Please let me know if there is anything else I can try to get this working. Thank you for your time and have a great day!
> 
> If you are unable to see the following please use the pastebin link: http://pastebin.com/aXvhdU3K
> 
> cd /root
> cat /dev/null > /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
> openssl x509 -in /root/swkeys/spacewalkdev/<FQDN>.crt -text >> /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
> /bin/cp -f /root/swkeys/spacewalkdev/<FQDN>.key /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY
> openssl x509 -in /root/swkeys/spacewalkdev/<FQDN>.crt -text > /root/ssl-build/spacewalkdev/server.crt
> /bin/cp -f /root/swkeys/spacewalkdev/<FQDN>.key /root/ssl-build/spacewalkdev/server.key
> /bin/cp -f /root/swkeys/spacewalkdev/<FQDN>.csr /root/ssl-build/spacewalkdev/server.csr
> /bin/cp -f /root/swkeys/spacewalkdev/gd_bundle.crt /usr/share/rhn/RHNS-CA-CERT
> rhn-ssl-tool --gen-server --set-hostname=<FQDN> --rpm-only
> rpm -Fvh ./ssl-build/spacewalkdev/rhn-org-httpd-ssl-key-pair-spacewalkdev-<new-version>.noarch.rpm
> cat /dev/null > /root/ssl-build/spacewalkdev/server.pem
> cat /root/ssl-build/spacewalkdev/server.crt >> /root/ssl-build/spacewalkdev/server.pem
> cat /root/ssl-build/spacewalkdev/server.key >> /root/ssl-build/spacewalkdev/server.pem
> /bin/cp -f /root/ssl-build/spacewalkdev/server.pem /etc/pki/spacewalk/jabberd/server.pem
> /bin/cp -f /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
> spacewalk-service restart
> 
> Kind regards,
> JD
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list