[Spacewalk-list] How to use a signed certificate?

Robert Paschedag robert.paschedag at web.de
Wed Sep 9 16:25:25 UTC 2015 

Hi Daryl,

looks good. But try the following.

Put a testfile on the spacewalk "pub" folder...normally "/srv/www/html/pub"

Then try to manually grab the file with "curl", only using "your" CA file

curl -vvv -1 --cacert /etc/ssl/certs/RHN... --capath none
https://<yourserver>/pub/<testfile>

If this works, try same without setting "--cacert and --capath". If this
does NOT work, something went wrong running "c_rehash".

If both do NOT work, then maybe the apache server is not "deploying" the
complete certificate chain. Look for "apache"s "SSLCertificateChainFile"
in /etc/http/conf.d/ssl.conf

Regards,
Robert


Am 09.09.2015 um 15:12 schrieb Daryl Rose:
> Avi,
> 
> Here are the steps for registering SLES from the Spacewalk documentation: 
> 
> https://fedorahosted.org/spacewalk/wiki/RegisteringClients#SUSE
> 
> However, the steps are not completely accurate for SLES 11 SP3.  A few changes need to be made. 
> 
> 1. Changes to the spacewalk-tools URL.
> zypper ar -f http://download.opensuse.org/repositories/systemsmanagement:/spacewalk:/2.3/SLE_11_SP3/ spacewalk-tools
> 
> 2.  Step two applies to SLES 12, not to SLES 11.  (I learned about that from this forum).  These are the modified steps:
> a.  wget http://corp-spwalk-prod01.dtn.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
> b.  cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem
> c.  c_rehash /etc/ssl/certs/
> 
> After running the c_rehash, I get the following:
> 
> lrwxrwxrwx 1 root root   28 Sep  9 08:05 dcfb5746.0 -> RHN-ORG-TRUSTED-SSL-CERT.pem
> 
> I'm assuming that this is what I should see.  
> 
> These are the same steps that I used in my testing. Is there something wrong with the cert?
> 
> Thanks
> 
> Daryl
> 
> ________________________________________
> From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Avi Miller <avi.miller at oracle.com>
> Sent: Tuesday, September 8, 2015 3:39 PM
> To: spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] How to use a signed certificate?
> 
> Hey Daryl,
> 
>> On 9 Sep 2015, at 6:06 am, Daryl Rose <darylrose at outlook.com> wrote:
>>
>> I decided to move my SW environment into production, so I stood up a brand new SW server and redid the signed certificate according to your documentation.  Everything works fine with the RHEL servers that I've attached, but I'm having certificate issues with SLES.
> 
> I don't think we ever tested this with SLES/OpenSUSE as that's not covered under standard Oracle support. I've not even looked into how you register a SLES system to Spacewalk, so I can't comment on how that process would need to be updated for a 3rd-party certificate.
> 
> However, this seems like a verification issue, so I would double-check that you're using the correct CA certificate (RHN-ORG-TRUSTED-SSL-CERT) and that it has the entire CA chain contained. Otherwise, the client would not be able to verify the certificate provided by the server.
> 
> Can you point me towards the appropriate documentation that outlines the SLES registration process to Spacewalk so I can review?
> 
> Thanks,
> Avi
> 
> --
> Oracle <http://www.oracle.com>
> Avi Miller | Product Management Director | +61 (3) 8616 3496
> Oracle Linux and Virtualization
> 417 St Kilda Road, Melbourne, Victoria 3004 Australia
> 
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>

More information about the Spacewalk-list mailing list