[Spacewalk-list] Certificate expiry
Kobus Bensch
kobus.bensch at trustpayglobal.com
Tue Jul 14 08:46:27 UTC 2015
Morning
I need some help please. This morning I got this message on the
Spacewalk login:
Your satellite certificate has expired. Please visit the following link
for steps on how to request or generate a new certificate:
https://access.redhat.com/knowledge/tools/satcertYour satellite enters
restricted period in 7 day(s).
So I followed the instructions here to get this resolved:
https://fedorahosted.org/spacewalk/wiki/CertCreation
Here is the steps I took:
gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Thu 12 Jul 2018 10:51:46 AM BST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Infrastructure_Team
Email address: infrastructure at company.com
Comment: Spacewalk Cert
You selected this USER-ID:
"Infrastructure_Team (Spacewalk Cert) <infrastructure at company.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[12582]: directory `/root/.gnupg/private-keys-v1.d' created
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key C787B908 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-07-12
pub 4096R/C787B908 2015-07-13 [expires: 2018-07-12]
Key fingerprint = E0A9 C645 60C3 FAD1 4EE9 0388 1627 481B C787 B908
uid Infrastructure_Team (Spacewalk Cert)
<infrastructure at company.com>
sub 4096R/113C619E 2015-07-13 [expires: 2018-07-12]
gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/F24F1B08 2002-04-23 [expired: 2004-04-22]
uid Red Hat, Inc (Red Hat Network)
<rhn-feedback at redhat.com>
pub 4096R/C787B908 2015-07-13 [expires: 2018-07-12]
uid Infrastructure_Team (Spacewalk Cert)
<infrastructure at company.com>
sub 4096R/113C619E 2015-07-13 [expires: 2018-07-12]
[root at dc2pmzspw01 ~]# gpg --list-secret-keys
/root/.gnupg/secring.gpg
------------------------
sec 4096R/3E092771 2015-07-13 [expires: 2018-07-12]
uid Infrastructure Team (Spacewalk Cert)
<infrastructure at company.com>
ssb 4096R/DCFD06A8 2015-07-13
sec 4096R/C787B908 2015-07-13 [expires: 2018-07-12]
uid Infrastructure_Team (Spacewalk Cert)
<infrastructure at company.com>
ssb 4096R/113C619E 2015-07-13
gpg --export -a C787B908 > spacewalk-key.gpg
gpg --export-secret-keys -a C787B908 > spacewalk-secretkey.gpg
gpg --keyring /etc/webapp-keyring-new.gpg --no-default-keyring --import
spacewalk-key.gpg spacewalk-secretkey.gpg
gpg: keyring `/etc/webapp-keyring-new.gpg' created
gpg: key C787B908: public key "Infrastructure_Team (Spacewalk Cert)
<infrastructure at company.com>" imported
gpg: key C787B908: already in secret keyring
gpg: Total number processed: 2
gpg: imported: 1 (RSA: 1)
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
mv /etc/webapp-keyring.gpg /etc/webapp-keyring-old.gpg
mv /etc/webapp-keyring-new.gpg /etc/webapp-keyring.gpg
gpg --keyring /etc/webapp-keyring.gpg --no-default-keyring --list-keys
/etc/webapp-keyring.gpg
-----------------------
pub 4096R/C787B908 2015-07-13 [expires: 2018-07-12]
uid Infrastructure_Team (Spacewalk Cert)
<infrastructure at company.com>
sub 4096R/113C619E 2015-07-13 [expires: 2018-07-12]
./gen-oss-sat-cert.pl --orgid 1 --owner "Infrastructure_Team (Spacewalk
Cert) <infrastructure at company.com>" --signer C787B908 --output
spacewalk-cert.cert --expires "2018-07-13 00:00:00" --slots 200000
--satellite-version spacewalk
Passphrase:
gpg: Signature made Mon 13 Jul 2015 11:07:12 AM BST using RSA key ID
C787B908
gpg: Good signature from "Infrastructure_Team (Spacewalk Cert)
<infrastructure at company.com>"
Signatures validation succeeded.
Certificate saved as tpgspacewalk-cert.cert
rhn-satellite-activate --sanity-only --rhn-cert=spacewalk-cert.cert
[no output]
rhn-satellite-activate --disconnected --rhn-cert=spacewalk-cert.cert
Certificate specifies 0 of virtualization_host_platform entitlements.
There are 3000 entitlements allocated to non-base org(s) (0 used).
You might need to deallocate some entitlements from non-base
organization(s).
You need to free 3000 entitlements to match the new certificate.
In the WebUI, the entitlement is named Virtualization Host Platform.
Certificate specifies 0 of monitoring_entitled entitlements.
There are 338 entitlements used by systems in the base (id 1)
organization,
plus 3000 entitlements allocated to non-base org(s) (26 used).
You might need to unentitle some systems in the base organization,
or deallocate some entitlements from non-base organization(s).
You need to free 3338 entitlements to match the new certificate.
In the WebUI, the entitlement is named Monitoring.
Certificate specifies 0 of virtualization_host entitlements.
There are 3000 entitlements allocated to non-base org(s) (0 used).
You might need to deallocate some entitlements from non-base
organization(s).
You need to free 3000 entitlements to match the new certificate.
In the WebUI, the entitlement is named Virtualization Host.
Certificate specifies 0 of provisioning_entitled entitlements.
There are 338 entitlements used by systems in the base (id 1)
organization,
plus 3000 entitlements allocated to non-base org(s) (26 used).
You might need to unentitle some systems in the base organization,
or deallocate some entitlements from non-base organization(s).
You need to free 3338 entitlements to match the new certificate.
In the WebUI, the entitlement is named Provisioning.
Activation failed, will now exit with no changes.
I have tried several different settings in the ./gen-oss-sat-cert.pl
command but always the same.
Can anybody help please?
Thanks
Kobus
--
Trustpay Global Limited is an authorised Electronic Money Institution
regulated by the Financial Conduct Authority registration number 900043.
Company No 07427913 Registered in England and Wales with registered address
130 Wood Street, London, EC2V 6DL, United Kingdom.
For further details please visit our website at www.trustpayglobal.com.
The information in this email and any attachments are confidential and
remain the property of Trustpay Global Ltd unless agreed by contract. It is
intended solely for the person to whom or the entity to which it is
addressed. If you are not the intended recipient you may not use, disclose,
copy, distribute, print or rely on the content of this email or its
attachments. If this email has been received by you in error please advise
the sender and delete the email from your system. Trustpay Global Ltd does
not accept any liability for any personal view expressed in this message.
More information about the Spacewalk-list
mailing list