[Spacewalk-list] Wildcard certificate and osad dispatcher

[Milan Zazrivec]

> I have installed a wildcard cert into Apache on my spacewalk server.  I am
> getting an error trying to start osad dispatcher: Starting osa-dispatcher:
> RHN 5813 2013/07/10 01:35:21 -04:00: ('Traceback caught:',)RHN 5813
> 2013/07/10 01:35:21 -04:00: ('Traceback (most recent call last):\n  File
> "/usr/share/rhn/osad/jabber_lib.py", line 616, in connect\n   
> ssl.do_handshake()\nError: [(\'SSL routines\',
> \'SSL3_GET_SERVER_CERTIFICATE\', \'certificate verify failed\')]\n',) I
> know that jabber uses a server.pem file so I copied over a server.pem file
> that has my private key and wildcard cert in it.

The server.pem (yes, jabberd uses the pem format) is in fact the server's ssl
cert (the public / private key pair).

> I was also wondering
> what certs these should be: RHN-ORG-TRUSTED-SSL-CERT - would this be the
> server certificate itself?RHNS-CA-CERT - would this be the CA cert/certs
> from my 3rd party vendor?

No, both RHN-ORG-TRUSTED-SSL-CERT and RHNS-CA-CERT are certificates
of the CA that signed your server certificate.

Just historically, Red Hat's rhn-client-tools come with a default
configuration pointing to RHNS-CA-CERT, which contains cert of Red Hat's CA.

You just need to point your client configuration to the correct CA cert file
(doesn't matter what you name it).

> I am wondering if the wildcard cert is the issue
> as I have been reading that jabber is picky about host names being same. 
> Of course wildcard cert would be *.name.com and not spacewalk.name.com. 
> Should I avoid a wildcard cert for Spacewalk?  Any assistance would be
> great.  This whole cert thing is a major pain to configure when you cannot
> use self signed due to internal policies.

I'm not sure if this is really a jabberd problem. Does the jabberd server
start correctly your wildcard certificate? (something in /var/log/messages)

My guess would be that it's osa-dispatcher that's rejecting the certificate.

-MZ