[Spacewalk-list] How to use a signed certificate?
Robert Paschedag
robert.paschedag at web.de
Wed Sep 9 22:26:28 UTC 2015
Hi Daryl,
strange....
Does the RHN file contain only the certificate of the "root" CA or does it also contain some intermediate certs?
If you're using a cert chain, did you set the chain file in Apache?
Could you please show output of the working run? With --cafile and --capath none?
Regards
Robert
Am 09.09.2015 20:56 schrieb Daryl Rose <darylrose at outlook.com>:
>
> Robert,
>
> Thank you very much for this test.
>
> When I run the test with --cacert and --capath, the certificate works just fine. However, it fails when I run the test without --cacert and --capath.
>
> * About to connect() to <FQDN SW Server> port 443 (#0)
> * Trying 10.255.2.7... connected
> * Connected to <FQDN SW Server> (IP Address) port 443 (#0)
> * successfully set certificate verify locations:
> * CAfile: none
> CApath: /etc/ssl/certs/
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS alert, Server hello (2):
> * SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> * Closing connection #0
> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> You said that if it works the first time, but fails the second time, then something went wrong with c_rehash. How do I troubleshoot c_rehash?
>
> Thank you.
>
> Daryl
>
> ________________________________________
> From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Robert Paschedag <robert.paschedag at web.de>
> Sent: Wednesday, September 9, 2015 11:25 AM
> To: spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] How to use a signed certificate?
>
> Hi Daryl,
>
> looks good. But try the following.
>
> Put a testfile on the spacewalk "pub" folder...normally "/srv/www/html/pub"
>
> Then try to manually grab the file with "curl", only using "your" CA file
>
> curl -vvv -1 --cacert /etc/ssl/certs/RHN... --capath none
> https://<yourserver>/pub/<testfile>
>
> If this works, try same without setting "--cacert and --capath". If this
> does NOT work, something went wrong running "c_rehash".
>
> If both do NOT work, then maybe the apache server is not "deploying" the
> complete certificate chain. Look for "apache"s "SSLCertificateChainFile"
> in /etc/http/conf.d/ssl.conf
>
> Regards,
> Robert
>
>
> Am 09.09.2015 um 15:12 schrieb Daryl Rose:
> > Avi,
> >
> > Here are the steps for registering SLES from the Spacewalk documentation:
> >
> > https://fedorahosted.org/spacewalk/wiki/RegisteringClients#SUSE
> >
> > However, the steps are not completely accurate for SLES 11 SP3. A few changes need to be made.
> >
> > 1. Changes to the spacewalk-tools URL.
> > zypper ar -f http://download.opensuse.org/repositories/systemsmanagement:/spacewalk:/2.3/SLE_11_SP3/ spacewalk-tools
> >
> > 2. Step two applies to SLES 12, not to SLES 11. (I learned about that from this forum). These are the modified steps:
> > a. wget http://corp-spwalk-prod01.dtn.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
> > b. cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem
> > c. c_rehash /etc/ssl/certs/
> >
> > After running the c_rehash, I get the following:
> >
> > lrwxrwxrwx 1 root root 28 Sep 9 08:05 dcfb5746.0 -> RHN-ORG-TRUSTED-SSL-CERT.pem
> >
> > I'm assuming that this is what I should see.
> >
> > These are the same steps that I used in my testing. Is there something wrong with the cert?
> >
> > Thanks
> >
> > Daryl
> >
> > ________________________________________
> > From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Avi Miller <avi.miller at oracle.com>
> > Sent: Tuesday, September 8, 2015 3:39 PM
> > To: spacewalk-list at redhat.com
> > Subject: Re: [Spacewalk-list] How to use a signed certificate?
> >
> > Hey Daryl,
> >
> >> On 9 Sep 2015, at 6:06 am, Daryl Rose <darylrose at outlook.com> wrote:
> >>
> >> I decided to move my SW environment into production, so I stood up a brand new SW server and redid the signed certificate according to your documentation. Everything works fine with the RHEL servers that I've attached, but I'm having certificate issues with SLES.
> >
> > I don't think we ever tested this with SLES/OpenSUSE as that's not covered under standard Oracle support. I've not even looked into how you register a SLES system to Spacewalk, so I can't comment on how that process would need to be updated for a 3rd-party certificate.
> >
> > However, this seems like a verification issue, so I would double-check that you're using the correct CA certificate (RHN-ORG-TRUSTED-SSL-CERT) and that it has the entire CA chain contained. Otherwise, the client would not be able to verify the certificate provided by the server.
> >
> > Can you point me towards the appropriate documentation that outlines the SLES registration process to Spacewalk so I can review?
> >
> > Thanks,
> > Avi
> >
> > --
> > Oracle <http://www.oracle.com>
> > Avi Miller | Product Management Director | +61 (3) 8616 3496
> > Oracle Linux and Virtualization
> > 417 St Kilda Road, Melbourne, Victoria 3004 Australia
> >
> >
> > _______________________________________________
> > Spacewalk-list mailing list
> > Spacewalk-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/spacewalk-list
> >
> > _______________________________________________
> > Spacewalk-list mailing list
> > Spacewalk-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/spacewalk-list
> >
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
More information about the Spacewalk-list
mailing list