[Spacewalk-list] CA Signed SSL Certificate Install Problems v1.6
Jeremy Davis
jdavis4102 at gmail.com
Mon Feb 27 16:43:02 UTC 2012
On Sat, Feb 25, 2012 at 10:33 AM, Jeremy Davis <jdavis4102 at gmail.com> wrote:
> Hello List,
>
> I am trying to install a CA signed SSL certificate and having problems
> with osa-dispatcher verifying the certificate. I am getting the following
> error while restart osa-dispatcher service.
>
> Starting osa-dispatcher: RHN 10059 2011/07/29 09:44:48 -07:00: ('Traceback
>
> caught:',)
> RHN 10059 2011/07/29 09:44:48 -07:00: ('Traceback (most recent call
> last):\n
> File "/usr/share/rhn/osad/jabber_lib.py", line 610, in connect\n
> ssl.do_handshake()\nError: [(\'SSL routines\',
> \'SSL3_GET_SERVER_CERTIFICATE\',
> \'certificate verify failed\')]\n',)
>
> I have the following configuration in my /etc/rhn/rhn.conf file:
> osa-dispatcher.osa_ssl_cert = /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
> server.satellite.ca_chain = /usr/share/rhn/RHNS-CA-CERT
>
> On my clients I have the following setup:
> in /etc/sysconfig/rhn/osad.conf
> osa_ssl_cert = /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>
> /etc/sysconfig/rhn/up2date
> sslCACert[comment]=The CA cert used to verify the ssl server
> sslCACert=/usr/share/rhn/RHNS-CA-CERT
>
> Now, when I received my signed certificate I received 4 files.
> .csr .crt .key and CA_bundle.crt
>
> The steps I used to configure Spacewalk to use the signed cert is as
> follows:
> openssl x509 -in Signed-cert.crt -text > /root/ssl-build/removed for
> security/server.crt
>
> /bin/cp -f /root/swkeys/removed for security/Signed-cert.csr
> /root/ssl-build/removed for security/server.csr
>
> /bin/cp -f /root/swkeys/removed for security/Signed-cert.key
> /root/ssl-build/removed for security/server.key
>
> cat /root/ssl-build/removed for security/server.crt
> /root/ssl-build/removed for security/server.key > /root/ssl-build/removed
> for security/server.pem
>
> cd /root/
>
> rhn-ssl-tool --gen-server --set-hostname=removed for security.intranet.gdg
> --rpm-only
>
> rpm -qa | grep rhn-org
>
> rpm -e rhn-org-httpd-ssl-key-pair-removed for security.dev-1.0-8
>
> rpm -Fvh ./ssl-build/removed for
> security/rhn-org-httpd-ssl-key-pair-removed for security-1.0-9.noarch.rpm
>
> /bin/cp -f ./ssl-build/removed for security/server.pem
> /etc/pki/spacewalk/jabberd/server.pem
>
> openssl x509 -in /root/swkeys/removed for security/Signed-cert.crt -text >
> /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
>
> openssl x509 -in /root/swkeys/removed for security/CA_bundle.crt -text >
> /usr/share/rhn/RHNS-CA-CERT
>
> rhn-ssl-tool --gen-ca --rpm-only
>
> /bin/cp -f /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
> /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
>
> spacewalk-service start
>
> Spacewalk-Proxy:
> wget -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT http://removed for
> security/pub/RHN-ORG-TRUSTED-SSL-CERT
>
> With the above steps do you see anything that I am doing wrong that I can
> change to get this working. It seems to me that the
> RHN-ORG-TRUSTED-SSL-CERT should be my signed cert and have RHNS-CA-CERT by
> my CA_bundle to verify it. Thank you in advance for your help in this and
> thank you for your time.
>
> Regards,
> Jeremy
>
>
I thought I would resend thus as I sent it over the weekend where everyone
was not looking at your email. Any ideas as to what I am doing wrong or how
to resolve this issue?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20120227/c5a3069b/attachment.htm>
More information about the Spacewalk-list
mailing list