[Spacewalk-list] Wildcard certificate and osad dispatcher
Milan Zazrivec
mzazrivec at redhat.com
Wed Jul 10 07:45:22 UTC 2013
> I have installed a wildcard cert into Apache on my spacewalk server. I am
> getting an error trying to start osad dispatcher: Starting osa-dispatcher:
> RHN 5813 2013/07/10 01:35:21 -04:00: ('Traceback caught:',)RHN 5813
> 2013/07/10 01:35:21 -04:00: ('Traceback (most recent call last):\n File
> "/usr/share/rhn/osad/jabber_lib.py", line 616, in connect\n
> ssl.do_handshake()\nError: [(\'SSL routines\',
> \'SSL3_GET_SERVER_CERTIFICATE\', \'certificate verify failed\')]\n',) I
> know that jabber uses a server.pem file so I copied over a server.pem file
> that has my private key and wildcard cert in it.
The server.pem (yes, jabberd uses the pem format) is in fact the server's ssl
cert (the public / private key pair).
> I was also wondering
> what certs these should be: RHN-ORG-TRUSTED-SSL-CERT - would this be the
> server certificate itself?RHNS-CA-CERT - would this be the CA cert/certs
> from my 3rd party vendor?
No, both RHN-ORG-TRUSTED-SSL-CERT and RHNS-CA-CERT are certificates
of the CA that signed your server certificate.
Just historically, Red Hat's rhn-client-tools come with a default
configuration pointing to RHNS-CA-CERT, which contains cert of Red Hat's CA.
You just need to point your client configuration to the correct CA cert file
(doesn't matter what you name it).
> I am wondering if the wildcard cert is the issue
> as I have been reading that jabber is picky about host names being same.
> Of course wildcard cert would be *.name.com and not spacewalk.name.com.
> Should I avoid a wildcard cert for Spacewalk? Any assistance would be
> great. This whole cert thing is a major pain to configure when you cannot
> use self signed due to internal policies.
I'm not sure if this is really a jabberd problem. Does the jabberd server
start correctly your wildcard certificate? (something in /var/log/messages)
My guess would be that it's osa-dispatcher that's rejecting the certificate.
-MZ
More information about the Spacewalk-list
mailing list