[Spacewalk-list] Certificate expiry

ndegz nndegz at gmail.com
Mon Jul 13 15:32:35 UTC 2015 

The new cert broke our kickstart configuration because the Org name changed
to Spacewalk Default Organization. To fix you can use spacecmd --org_rename
spacecmd -u admin -p password -- org_rename "Spacewalk Default
Organization" "My New Name"


On Mon, Jul 13, 2015 at 10:09 AM, Tomáš Kašpárek <tkasparek at redhat.com>
wrote:

> Hello,
>
> please follow instructions located at:
> https://fedorahosted.org/spacewalk/wiki/HowToUpgrade#PerformSpacewalkactivation
>
> Tomáš
>
>
> On 07/13/2015 03:56 PM, Coffman, Anthony J wrote:
>
>> I've got this also.
>>
>> Spacewalk 2.3
>>
>> --Tony
>>
>>
>>
>>
>> -----Original Message-----
>> From: spacewalk-list-bounces at redhat.com [mailto:
>> spacewalk-list-bounces at redhat.com] On Behalf Of Cliff Perry
>> Sent: Monday, July 13, 2015 6:32 AM
>> To: spacewalk-list at redhat.com
>> Subject: Re: [Spacewalk-list] Certificate expiry
>>
>> On 13/07/15 11:20, Kobus Bensch wrote:
>>
>>> Morning
>>>
>>> I need some help please. This morning I got this message on the
>>> Spacewalk login:
>>>
>>> Your satellite certificate has expired. Please visit the following
>>> link for steps on how to request or generate a new certificate:
>>> https://access.redhat.com/knowledge/tools/satcertYour satellite enters
>>> restricted period in 7 day(s).
>>>
>>> So I followed the instructions here to get this resolved:
>>>
>>> https://fedorahosted.org/spacewalk/wiki/CertCreation
>>>
>>> Here is the steps I took:
>>> gpg --gen-key
>>> gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
>>> This is free software: you are free to change and redistribute it.
>>> There is NO WARRANTY, to the extent permitted by law.
>>>
>>> Please select what kind of key you want:
>>>      (1) RSA and RSA (default)
>>>      (2) DSA and Elgamal
>>>      (3) DSA (sign only)
>>>      (4) RSA (sign only)
>>> Your selection? 1
>>> RSA keys may be between 1024 and 4096 bits long.
>>> What keysize do you want? (2048) 4096
>>> Requested keysize is 4096 bits
>>> Please specify how long the key should be valid.
>>>            0 = key does not expire
>>>         <n>  = key expires in n days
>>>         <n>w = key expires in n weeks
>>>         <n>m = key expires in n months
>>>         <n>y = key expires in n years
>>> Key is valid for? (0) 3y
>>> Key expires at Thu 12 Jul 2018 10:51:46 AM BST Is this correct? (y/N)
>>> y
>>>
>>> GnuPG needs to construct a user ID to identify your key.
>>>
>>> Real name: Infrastructure_Team
>>> Email address: infrastructure at company.com
>>> Comment: Spacewalk Cert
>>> You selected this USER-ID:
>>>       "Infrastructure_Team (Spacewalk Cert) <infrastructure at company.com
>>> >"
>>>
>>> Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a
>>> Passphrase to protect your secret key.
>>>
>>> can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
>>> gpg-agent[12582]: directory `/root/.gnupg/private-keys-v1.d' created
>>> We need to generate a lot of random bytes. It is a good idea to
>>> perform some other action (type on the keyboard, move the mouse,
>>> utilize the
>>> disks) during the prime generation; this gives the random number
>>> generator a better chance to gain enough entropy.
>>> We need to generate a lot of random bytes. It is a good idea to
>>> perform some other action (type on the keyboard, move the mouse,
>>> utilize the
>>> disks) during the prime generation; this gives the random number
>>> generator a better chance to gain enough entropy.
>>> gpg: key C787B908 marked as ultimately trusted public and secret key
>>> created and signed.
>>>
>>> gpg: checking the trustdb
>>> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
>>> gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
>>> gpg: next trustdb check due at 2018-07-12
>>> pub   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
>>>         Key fingerprint = E0A9 C645 60C3 FAD1 4EE9  0388 1627 481B C787
>>> B908
>>> uid                  Infrastructure_Team (Spacewalk Cert)
>>> <infrastructure at company.com>
>>> sub   4096R/113C619E 2015-07-13 [expires: 2018-07-12]
>>>
>>> gpg --list-keys
>>> /root/.gnupg/pubring.gpg
>>> ------------------------
>>> pub   1024D/F24F1B08 2002-04-23 [expired: 2004-04-22]
>>> uid                  Red Hat, Inc (Red Hat Network)
>>> <rhn-feedback at redhat.com>
>>>
>>> pub   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
>>> uid                  Infrastructure_Team (Spacewalk Cert)
>>> <infrastructure at company.com>
>>> sub   4096R/113C619E 2015-07-13 [expires: 2018-07-12]
>>>
>>> [root at dc2pmzspw01 ~]# gpg --list-secret-keys /root/.gnupg/secring.gpg
>>> ------------------------
>>> sec   4096R/3E092771 2015-07-13 [expires: 2018-07-12]
>>> uid                  Infrastructure Team (Spacewalk Cert)
>>> <infrastructure at company.com>
>>> ssb   4096R/DCFD06A8 2015-07-13
>>>
>>> sec   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
>>> uid                  Infrastructure_Team (Spacewalk Cert)
>>> <infrastructure at company.com>
>>> ssb   4096R/113C619E 2015-07-13
>>>
>>> gpg --export -a C787B908 > spacewalk-key.gpg gpg --export-secret-keys
>>> -a C787B908 > spacewalk-secretkey.gpg
>>>
>>> gpg --keyring /etc/webapp-keyring-new.gpg --no-default-keyring
>>> --import spacewalk-key.gpg spacewalk-secretkey.gpg
>>> gpg: keyring `/etc/webapp-keyring-new.gpg' created
>>> gpg: key C787B908: public key "Infrastructure_Team (Spacewalk Cert)
>>> <infrastructure at company.com>" imported
>>> gpg: key C787B908: already in secret keyring
>>> gpg: Total number processed: 2
>>> gpg:               imported: 1  (RSA: 1)
>>> gpg:       secret keys read: 1
>>> gpg:  secret keys unchanged: 1
>>>
>>> mv /etc/webapp-keyring.gpg /etc/webapp-keyring-old.gpg mv
>>> /etc/webapp-keyring-new.gpg /etc/webapp-keyring.gpg
>>>
>>> gpg --keyring /etc/webapp-keyring.gpg --no-default-keyring --list-keys
>>> /etc/webapp-keyring.gpg
>>> -----------------------
>>> pub   4096R/C787B908 2015-07-13 [expires: 2018-07-12]
>>> uid                  Infrastructure_Team (Spacewalk Cert)
>>> <infrastructure at company.com>
>>> sub   4096R/113C619E 2015-07-13 [expires: 2018-07-12]
>>>
>>> ./gen-oss-sat-cert.pl --orgid 1 --owner "Infrastructure_Team
>>> (Spacewalk
>>> Cert) <infrastructure at company.com>" --signer C787B908 --output
>>> spacewalk-cert.cert --expires "2018-07-13 00:00:00" --slots 200000
>>> --satellite-version spacewalk
>>> Passphrase:
>>> gpg: Signature made Mon 13 Jul 2015 11:07:12 AM BST using RSA key ID
>>> C787B908
>>> gpg: Good signature from "Infrastructure_Team (Spacewalk Cert)
>>> <infrastructure at company.com>"
>>> Signatures validation succeeded.
>>> Certificate saved as tpgspacewalk-cert.cert
>>>
>>> rhn-satellite-activate --sanity-only --rhn-cert=spacewalk-cert.cert
>>> [no output]
>>>
>>> rhn-satellite-activate --disconnected --rhn-cert=spacewalk-cert.cert
>>> Certificate specifies 0 of virtualization_host_platform entitlements.
>>>       There are 3000 entitlements allocated to non-base org(s) (0 used).
>>>       You might need to deallocate some entitlements from non-base
>>> organization(s).
>>>       You need to free 3000 entitlements to match the new certificate.
>>>       In the WebUI, the entitlement is named Virtualization Host
>>> Platform.
>>> Certificate specifies 0 of monitoring_entitled entitlements.
>>>       There are 338 entitlements used by systems in the base (id 1)
>>> organization,
>>>       plus 3000 entitlements allocated to non-base org(s) (26 used).
>>>       You might need to unentitle some systems in the base organization,
>>>       or deallocate some entitlements from non-base organization(s).
>>>       You need to free 3338 entitlements to match the new certificate.
>>>       In the WebUI, the entitlement is named Monitoring.
>>> Certificate specifies 0 of virtualization_host entitlements.
>>>       There are 3000 entitlements allocated to non-base org(s) (0 used).
>>>       You might need to deallocate some entitlements from non-base
>>> organization(s).
>>>       You need to free 3000 entitlements to match the new certificate.
>>>       In the WebUI, the entitlement is named Virtualization Host.
>>> Certificate specifies 0 of provisioning_entitled entitlements.
>>>       There are 338 entitlements used by systems in the base (id 1)
>>> organization,
>>>       plus 3000 entitlements allocated to non-base org(s) (26 used).
>>>       You might need to unentitle some systems in the base organization,
>>>       or deallocate some entitlements from non-base organization(s).
>>>       You need to free 3338 entitlements to match the new certificate.
>>>       In the WebUI, the entitlement is named Provisioning.
>>> Activation failed, will now exit with no changes.
>>>
>>>
>>> I have tried several different settings in the ./gen-oss-sat-cert.pl
>>> command but always the same.
>>>
>>> Can anybody help please?
>>>
>>> Thanks
>>>
>>> Kobus
>>>
>>> Trustpay Global Limited is an authorised Electronic Money Institution
>>> regulated by the Financial Conduct Authority registration number 900043.
>>> Company No 07427913 Registered in England and Wales with registered
>>> address 130 Wood Street, London, EC2V 6DL, United Kingdom.
>>>
>>> For further details please visit our website at www.trustpayglobal.com
>>> <http://www.trustpayglobal.com>.
>>>
>>> The information in this email and any attachments are confidential and
>>> remain the property of Trustpay Global Ltd unless agreed by contract.
>>> It is intended solely for the person to whom or the entity to which it
>>> is addressed. If you are not the intended recipient you may not use,
>>> disclose, copy, distribute, print or rely on the content of this email
>>> or its attachments. If this email has been received by you in error
>>> please advise the sender and delete the email from your system.
>>> Trustpay Global Ltd does not accept any liability for any personal
>>> view expressed in this message.
>>>
>>>
>>>
>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>>  Hi - can you confirm the version of Spacewalk being used?
>>
>> The old Certificate used expired today. We generated a new one a year ago:
>>
>>
>> https://github.com/spacewalkproject/spacewalk/blob/ca2c784eaff062b36f5f464affc50c2a2d21fa6a/branding/setup/spacewalk-public.cert
>>
>> For now, it is safe to ignore the warning - please give us some time to
>> provide our recommended solution here. Since not everyone has upgraded yet
>> to Spacewalk 2.3.
>>
>> Regards,
>> Cliff
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20150713/38366c53/attachment.htm>

More information about the Spacewalk-list mailing list