[Spacewalk-list] How to use a signed certificate?

Wed Sep 9 22:26:28 UTC 2015

Hi Daryl,

strange....

Does the RHN file contain only the certificate of the "root" CA or does it also contain some intermediate certs?

If you're using a cert chain, did you set the chain file in Apache?

Could you please show output of the working run? With --cafile and --capath none?

Regards
Robert
Am 09.09.2015 20:56 schrieb Daryl Rose <darylrose at outlook.com>:
>
> Robert, 
>
> Thank you very much for this test. 
>
> When I run the test with --cacert and --capath, the certificate works just fine.  However, it fails when I run the test without --cacert and --capath. 
>
> * About to connect() to <FQDN SW Server> port 443 (#0) 
> *   Trying 10.255.2.7... connected 
> * Connected to <FQDN SW Server> (IP Address) port 443 (#0) 
> * successfully set certificate verify locations: 
> *   CAfile: none 
>   CApath: /etc/ssl/certs/ 
> * SSLv3, TLS handshake, Client hello (1): 
> * SSLv3, TLS handshake, Server hello (2): 
> * SSLv3, TLS handshake, CERT (11): 
> * SSLv3, TLS alert, Server hello (2): 
> * SSL certificate problem, verify that the CA cert is OK. Details: 
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
> * Closing connection #0 
> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: 
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
> More details here: http://curl.haxx.se/docs/sslcerts.html 
>
> You said that if it works the first time, but fails the second time, then something went wrong with c_rehash.  How do I troubleshoot c_rehash? 
>
> Thank you. 
>
> Daryl 
>
> ________________________________________ 
> From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Robert Paschedag <robert.paschedag at web.de> 
> Sent: Wednesday, September 9, 2015 11:25 AM 
> To: spacewalk-list at redhat.com 
> Subject: Re: [Spacewalk-list] How to use a signed certificate? 
>
> Hi Daryl, 
>
> looks good. But try the following. 
>
> Put a testfile on the spacewalk "pub" folder...normally "/srv/www/html/pub" 
>
> Then try to manually grab the file with "curl", only using "your" CA file 
>
> curl -vvv -1 --cacert /etc/ssl/certs/RHN... --capath none 
> https://<yourserver>/pub/<testfile> 
>
> If this works, try same without setting "--cacert and --capath". If this 
> does NOT work, something went wrong running "c_rehash". 
>
> If both do NOT work, then maybe the apache server is not "deploying" the 
> complete certificate chain. Look for "apache"s "SSLCertificateChainFile" 
> in /etc/http/conf.d/ssl.conf 
>
> Regards, 
> Robert 
>
>
> Am 09.09.2015 um 15:12 schrieb Daryl Rose: 
> > Avi, 
> > 
> > Here are the steps for registering SLES from the Spacewalk documentation: 
> > 
> > https://fedorahosted.org/spacewalk/wiki/RegisteringClients#SUSE 
> > 
> > However, the steps are not completely accurate for SLES 11 SP3.  A few changes need to be made. 
> > 
> > 1. Changes to the spacewalk-tools URL. 
> > zypper ar -f http://download.opensuse.org/repositories/systemsmanagement:/spacewalk:/2.3/SLE_11_SP3/ spacewalk-tools 
> > 
> > 2.  Step two applies to SLES 12, not to SLES 11.  (I learned about that from this forum).  These are the modified steps: 
> > a.  wget http://corp-spwalk-prod01.dtn.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT 
> > b.  cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem 
> > c.  c_rehash /etc/ssl/certs/ 
> > 
> > After running the c_rehash, I get the following: 
> > 
> > lrwxrwxrwx 1 root root   28 Sep  9 08:05 dcfb5746.0 -> RHN-ORG-TRUSTED-SSL-CERT.pem 
> > 
> > I'm assuming that this is what I should see. 
> > 
> > These are the same steps that I used in my testing. Is there something wrong with the cert? 
> > 
> > Thanks 
> > 
> > Daryl 
> > 
> > ________________________________________ 
> > From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Avi Miller <avi.miller at oracle.com> 
> > Sent: Tuesday, September 8, 2015 3:39 PM 
> > To: spacewalk-list at redhat.com 
> > Subject: Re: [Spacewalk-list] How to use a signed certificate? 
> > 
> > Hey Daryl, 
> > 
> >> On 9 Sep 2015, at 6:06 am, Daryl Rose <darylrose at outlook.com> wrote: 
> >> 
> >> I decided to move my SW environment into production, so I stood up a brand new SW server and redid the signed certificate according to your documentation.  Everything works fine with the RHEL servers that I've attached, but I'm having certificate issues with SLES. 
> > 
> > I don't think we ever tested this with SLES/OpenSUSE as that's not covered under standard Oracle support. I've not even looked into how you register a SLES system to Spacewalk, so I can't comment on how that process would need to be updated for a 3rd-party certificate. 
> > 
> > However, this seems like a verification issue, so I would double-check that you're using the correct CA certificate (RHN-ORG-TRUSTED-SSL-CERT) and that it has the entire CA chain contained. Otherwise, the client would not be able to verify the certificate provided by the server. 
> > 
> > Can you point me towards the appropriate documentation that outlines the SLES registration process to Spacewalk so I can review? 
> > 
> > Thanks, 
> > Avi 
> > 
> > -- 
> > Oracle <http://www.oracle.com> 
> > Avi Miller | Product Management Director | +61 (3) 8616 3496 
> > Oracle Linux and Virtualization 
> > 417 St Kilda Road, Melbourne, Victoria 3004 Australia 
> > 
> > 
> > _______________________________________________ 
> > Spacewalk-list mailing list 
> > Spacewalk-list at redhat.com 
> > https://www.redhat.com/mailman/listinfo/spacewalk-list 
> > 
> > _______________________________________________ 
> > Spacewalk-list mailing list 
> > Spacewalk-list at redhat.com 
> > https://www.redhat.com/mailman/listinfo/spacewalk-list 
> > 
>
> _______________________________________________ 
> Spacewalk-list mailing list 
> Spacewalk-list at redhat.com 
> https://www.redhat.com/mailman/listinfo/spacewalk-list