[Spacewalk-list] CA Signed SSL Certificate Install Problems v1.6
Jeremy Davis
jdavis4102 at gmail.com
Sat Feb 25 17:33:56 UTC 2012
Hello List,
I am trying to install a CA signed SSL certificate and having problems with
osa-dispatcher verifying the certificate. I am getting the following error
while restart osa-dispatcher service.
Starting osa-dispatcher: RHN 10059 2011/07/29 09:44:48 -07:00: ('Traceback
caught:',)
RHN 10059 2011/07/29 09:44:48 -07:00: ('Traceback (most recent call
last):\n
File "/usr/share/rhn/osad/jabber_lib.py", line 610, in connect\n
ssl.do_handshake()\nError: [(\'SSL routines\',
\'SSL3_GET_SERVER_CERTIFICATE\',
\'certificate verify failed\')]\n',)
I have the following configuration in my /etc/rhn/rhn.conf file:
osa-dispatcher.osa_ssl_cert = /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
server.satellite.ca_chain = /usr/share/rhn/RHNS-CA-CERT
On my clients I have the following setup:
in /etc/sysconfig/rhn/osad.conf
osa_ssl_cert = /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
/etc/sysconfig/rhn/up2date
sslCACert[comment]=The CA cert used to verify the ssl server
sslCACert=/usr/share/rhn/RHNS-CA-CERT
Now, when I received my signed certificate I received 4 files.
.csr .crt .key and CA_bundle.crt
The steps I used to configure Spacewalk to use the signed cert is as
follows:
openssl x509 -in Signed-cert.crt -text > /root/ssl-build/removed for
security/server.crt
/bin/cp -f /root/swkeys/removed for security/Signed-cert.csr
/root/ssl-build/removed for security/server.csr
/bin/cp -f /root/swkeys/removed for security/Signed-cert.key
/root/ssl-build/removed for security/server.key
cat /root/ssl-build/removed for security/server.crt /root/ssl-build/removed
for security/server.key > /root/ssl-build/removed for security/server.pem
cd /root/
rhn-ssl-tool --gen-server --set-hostname=removed for security.intranet.gdg
--rpm-only
rpm -qa | grep rhn-org
rpm -e rhn-org-httpd-ssl-key-pair-removed for security.dev-1.0-8
rpm -Fvh ./ssl-build/removed for
security/rhn-org-httpd-ssl-key-pair-removed for security-1.0-9.noarch.rpm
/bin/cp -f ./ssl-build/removed for security/server.pem
/etc/pki/spacewalk/jabberd/server.pem
openssl x509 -in /root/swkeys/removed for security/Signed-cert.crt -text >
/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
openssl x509 -in /root/swkeys/removed for security/CA_bundle.crt -text >
/usr/share/rhn/RHNS-CA-CERT
rhn-ssl-tool --gen-ca --rpm-only
/bin/cp -f /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
spacewalk-service start
Spacewalk-Proxy:
wget -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT http://removed for
security/pub/RHN-ORG-TRUSTED-SSL-CERT
With the above steps do you see anything that I am doing wrong that I can
change to get this working. It seems to me that the
RHN-ORG-TRUSTED-SSL-CERT should be my signed cert and have RHNS-CA-CERT by
my CA_bundle to verify it. Thank you in advance for your help in this and
thank you for your time.
Regards,
Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20120225/8e30a649/attachment.htm>
More information about the Spacewalk-list
mailing list