[Spacewalk-list] repos wrong SSL name ?
Matthew Darcy
MDarcy at sch-group.net
Tue May 24 07:48:41 UTC 2011
While playing around with spacewalk yesterday to try to resolve a DNS issue I appear to have broken my SSL certificate for my repos.
I've just built a test centos 5 machine from my spacewalk 1.4 Oracle server, great, not problems.
When I run a yum update on the client to test the functionality, I get a large trace from Python that basically says the hostname is wrong in the SSL certificate.
[quote]
[root at vmbuild01 ~]# yum update
Loaded plugins: fastestmirror, rhnplugin
Loading mirror speeds from cached hostfile
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in ?
yummain.user_main(sys.argv[1:], exit_code=True)
File "/usr/share/yum-cli/yummain.py", line 309, in user_main
errcode = main(args)
File "/usr/share/yum-cli/yummain.py", line 178, in main
result, resultmsgs = base.doCommands()
File "/usr/share/yum-cli/cli.py", line 345, in doCommands
self._getTs(needTsRemove)
File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 101, in _getTs
self._getTsInfo(remove_only)
File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 112, in _getTsInfo
pkgSack = self.pkgSack
File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 662, in <lambda>
pkgSack = property(fget=lambda self: self._getSacks(),
File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 502, in _getSacks
self.repos.populateSack(which=repos)
File "/usr/lib/python2.4/site-packages/yum/repos.py", line 260, in populateSack
sack.populate(repo, mdtype, callback, cacheonly)
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 168, in populate
if self._check_db_version(repo, mydbtype):
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 226, in _check_db_version
return repo._check_db_version(mdtype)
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1233, in _check_db_version
repoXML = self.repoXML
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1406, in <lambda>
repoXML = property(fget=lambda self: self._getRepoXML(),
File "/usr/share/yum-plugins/rhnplugin.py", line 500, in _getRepoXML
return YumRepository._getRepoXML(self)
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1398, in _getRepoXML
self._loadRepoXML(text=self)
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1388, in _loadRepoXML
return self._groupLoadRepoXML(text, ["primary"])
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1372, in _groupLoadRepoXML
if self._commonLoadRepoXML(text):
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1208, in _commonLoadRepoXML
result = self._getFileRepoXML(local, text)
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 989, in _getFileRepoXML
cache=self.http_caching == 'all')
File "/usr/share/yum-plugins/rhnplugin.py", line 322, in _getFile
start, end, copy_local, checkfunc, text, reget, cache, size)
File "/usr/share/yum-plugins/rhnplugin.py", line 424, in _noExceptionWrappingGet
size = size
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 936, in urlgrab
return self._retry(opts, retryfunc, url, filename)
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 854, in _retry
r = apply(func, (opts,) + args, {})
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 922, in retryfunc
fo = URLGrabberFileObject(url, filename, opts)
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1010, in __init__
self._do_open()
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1093, in _do_open
fo, hdr = self._make_request(req, opener)
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1202, in _make_request
fo = opener.open(req)
File "/usr/lib64/python2.4/urllib2.py", line 358, in open
response = self._open(req, data)
File "/usr/lib64/python2.4/urllib2.py", line 376, in _open
'_open', req)
File "/usr/lib64/python2.4/urllib2.py", line 337, in _call_chain
result = func(*args)
File "/usr/lib64/python2.4/site-packages/M2Crypto/m2urllib2.py", line 82, in https_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib64/python2.4/httplib.py", line 810, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.4/httplib.py", line 833, in _send_request
self.endheaders()
File "/usr/lib64/python2.4/httplib.py", line 804, in endheaders
self._send_output()
File "/usr/lib64/python2.4/httplib.py", line 685, in _send_output
self.send(msg)
File "/usr/lib64/python2.4/httplib.py", line 652, in send
self.connect()
File "/usr/lib64/python2.4/site-packages/M2Crypto/httpslib.py", line 47, in connect
self.sock.connect((self.host, self.port))
File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 177, in connect
if not check(self.get_peer_cert(), self.addr[0]):
File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Checker.py", line 113, in __call__
fieldName='commonName')
M2Crypto.SSL.Checker.WrongHost: Peer certificate commonName does not match host, expected spacewalk01.sccis.net, got spacewalk01
[/quote]
to resolve this I used
rhn-ssl-tool --gen-server --set-hostname="spacewalk01.sccis.net"
which should set the certificate to the correct FQDN I'm now using, it didn't work.
A little more research and I believe the Peer certificate is actually the CA, so to resolve this I did
rhn-ssl-tool --gen-ca --force --set-common-name="spacewalk01.sccis.net"
which replaced my existing CA with a new one with the correct common name, I then re-ran rhn-ssl-tool --gen-ca --force --set-common-name="spacewalk01.sccis.net" to get that created against the new CA.
all should be well.
Just kickstarted another test machine, tried to update and got the same error, still complaining about the common name being spacewalk01 rather than spacewalk01.sccis.net
Have I missed something ?
thanks,
Matt
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20110524/6672e11c/attachment.htm>
More information about the Spacewalk-list
mailing list