[Spacewalk-list] repos wrong SSL name ?

Matthew Darcy MDarcy at sch-group.net
Tue May 24 07:48:41 UTC 2011 

While playing around with spacewalk yesterday to try to resolve a DNS issue I appear to have broken my SSL certificate for my repos.

I've just built a test centos 5 machine from my spacewalk 1.4 Oracle server, great, not problems.

When I run a yum update on the client to test the functionality, I get a large trace from Python that basically says the hostname is wrong in the SSL certificate.

[quote]
[root at vmbuild01 ~]# yum update
Loaded plugins: fastestmirror, rhnplugin
Loading mirror speeds from cached hostfile
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 309, in user_main
    errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 178, in main
    result, resultmsgs = base.doCommands()
  File "/usr/share/yum-cli/cli.py", line 345, in doCommands
    self._getTs(needTsRemove)
  File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 101, in _getTs
    self._getTsInfo(remove_only)
  File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 112, in _getTsInfo
    pkgSack = self.pkgSack
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 662, in <lambda>
    pkgSack = property(fget=lambda self: self._getSacks(),
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 502, in _getSacks
    self.repos.populateSack(which=repos)
  File "/usr/lib/python2.4/site-packages/yum/repos.py", line 260, in populateSack
    sack.populate(repo, mdtype, callback, cacheonly)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 168, in populate
    if self._check_db_version(repo, mydbtype):
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 226, in _check_db_version
    return repo._check_db_version(mdtype)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1233, in _check_db_version
    repoXML = self.repoXML
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1406, in <lambda>
    repoXML = property(fget=lambda self: self._getRepoXML(),
  File "/usr/share/yum-plugins/rhnplugin.py", line 500, in _getRepoXML
    return YumRepository._getRepoXML(self)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1398, in _getRepoXML
    self._loadRepoXML(text=self)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1388, in _loadRepoXML
    return self._groupLoadRepoXML(text, ["primary"])
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1372, in _groupLoadRepoXML
    if self._commonLoadRepoXML(text):
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1208, in _commonLoadRepoXML
    result = self._getFileRepoXML(local, text)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 989, in _getFileRepoXML
    cache=self.http_caching == 'all')
  File "/usr/share/yum-plugins/rhnplugin.py", line 322, in _getFile
    start, end, copy_local, checkfunc, text, reget, cache, size)
  File "/usr/share/yum-plugins/rhnplugin.py", line 424, in _noExceptionWrappingGet
    size = size
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 936, in urlgrab
    return self._retry(opts, retryfunc, url, filename)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 854, in _retry
    r = apply(func, (opts,) + args, {})
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 922, in retryfunc
    fo = URLGrabberFileObject(url, filename, opts)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1010, in __init__
    self._do_open()
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1093, in _do_open
    fo, hdr = self._make_request(req, opener)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1202, in _make_request
    fo = opener.open(req)
  File "/usr/lib64/python2.4/urllib2.py", line 358, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.4/urllib2.py", line 376, in _open
    '_open', req)
  File "/usr/lib64/python2.4/urllib2.py", line 337, in _call_chain
    result = func(*args)
  File "/usr/lib64/python2.4/site-packages/M2Crypto/m2urllib2.py", line 82, in https_open
    h.request(req.get_method(), req.get_selector(), req.data, headers)
  File "/usr/lib64/python2.4/httplib.py", line 810, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.4/httplib.py", line 833, in _send_request
    self.endheaders()
  File "/usr/lib64/python2.4/httplib.py", line 804, in endheaders
    self._send_output()
  File "/usr/lib64/python2.4/httplib.py", line 685, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.4/httplib.py", line 652, in send
    self.connect()
  File "/usr/lib64/python2.4/site-packages/M2Crypto/httpslib.py", line 47, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 177, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Checker.py", line 113, in __call__
    fieldName='commonName')
M2Crypto.SSL.Checker.WrongHost: Peer certificate commonName does not match host, expected spacewalk01.sccis.net, got spacewalk01
[/quote]

to resolve this I used

 rhn-ssl-tool --gen-server --set-hostname="spacewalk01.sccis.net"
which should set the certificate to the correct FQDN I'm now using, it didn't work.

A little more research and I believe the Peer certificate is actually the CA, so to resolve this I did

rhn-ssl-tool --gen-ca --force --set-common-name="spacewalk01.sccis.net"
which replaced my existing CA with a new one with the correct common name, I then re-ran rhn-ssl-tool --gen-ca --force --set-common-name="spacewalk01.sccis.net" to get that created against the new CA.

all should be well.

Just kickstarted another test machine, tried to update and got the same error, still complaining about the common name being spacewalk01 rather than spacewalk01.sccis.net

Have I missed something ?

thanks,

Matt


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20110524/6672e11c/attachment.htm>

More information about the Spacewalk-list mailing list