[Spacewalk-list] Antwort: Re: How to use a signed certificate?
Paschedag.Netlution at swr.de
Paschedag.Netlution at swr.de
Fri Sep 11 13:16:47 UTC 2015
Hi Daryl,
how many certificates are stored within RHN-ORG-TRUSTED-SSL-CERT?
Only one?
You said, the "curl" command with "--cacert" set to point to the
RHN-ORG... file and setting "--capath none" worked, So we really have to
check the links within /etc/ssl/certs
And you are NOT using intermediate certificates?
Please verify, that the name of the link in /etc/ssl/certs pointing to
your RHN-ORG file is the same value as the "subject_hash" of your CA,
stored within the RHN-ORG file
Get subject_hash from certificate
openssl x509 -in /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT -noout
-subject_hash
This returns the hash. Within /etc/ssl/certs, there should now be a
symlink with the "hash value" + ".0" appended, pointing to the RHN-ORG
file
In my case
83475fa3
ls -l /etc/ssl/certs | grep RHN
Should show something like this
....83475fa3.0 -> RHN-ORG-TRUSTED-SSL-CERT.PEM
If this is not the case, then this is the error.
Regards,
Robert
Mit freundlichen Grüßen
Robert Paschedag
Netlution GmbH
Landteilstr. 33
68163 Mannheim
im Auftrag des
SWR
Südwestrundfunk
Informations- und Kommunikationssysteme
Neckarstraße 230
70190 Stuttgart
Telefon +49 (0)711 /929-12654 oder
Telefon +49 (0)711 /929-13714
paschedag.netlution at swr.de
swr.de
Von: Daryl Rose <darylrose at outlook.com>
An: "robert.paschedag at web.de" <robert.paschedag at web.de>,
"spacewalk-list at redhat.com" <spacewalk-list at redhat.com>
Datum: 11.09.2015 14:56
Betreff: Re: [Spacewalk-list] How to use a signed certificate?
Gesendet von: spacewalk-list-bounces at redhat.com
Robert,
I finally had a chance to get back to this.
You said to look to see if Apache is deploying the SSLCertificateChainFile
certificate chain.
SSLCertificateChainFile was commented out, but I'm not sure what I need
to put in for the Certificate Chain File.
However, I looked at my demo server, and the SSLCertificateChainFile was
also commented out in the ssl.conf file. But, SLES works perfectly with
that server. I moved one of my SLES machine to the demo server, and it
accepts the certificate just fine. So, I'm now wondering if this issue is
something else.
Thanks
Daryl
________________________________________
From: spacewalk-list-bounces at redhat.com
<spacewalk-list-bounces at redhat.com> on behalf of Robert Paschedag
<robert.paschedag at web.de>
Sent: Wednesday, September 9, 2015 11:25 AM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] How to use a signed certificate?
Hi Daryl,
looks good. But try the following.
Put a testfile on the spacewalk "pub" folder...normally
"/srv/www/html/pub"
Then try to manually grab the file with "curl", only using "your" CA file
curl -vvv -1 --cacert /etc/ssl/certs/RHN... --capath none
https://<yourserver>/pub/<testfile>
If this works, try same without setting "--cacert and --capath". If this
does NOT work, something went wrong running "c_rehash".
If both do NOT work, then maybe the apache server is not "deploying" the
complete certificate chain. Look for "apache"s "SSLCertificateChainFile"
in /etc/http/conf.d/ssl.conf
Regards,
Robert
Am 09.09.2015 um 15:12 schrieb Daryl Rose:
> Avi,
>
> Here are the steps for registering SLES from the Spacewalk
documentation:
>
> https://fedorahosted.org/spacewalk/wiki/RegisteringClients#SUSE
>
> However, the steps are not completely accurate for SLES 11 SP3. A few
changes need to be made.
>
> 1. Changes to the spacewalk-tools URL.
> zypper ar -f
http://download.opensuse.org/repositories/systemsmanagement:/spacewalk:/2.3/SLE_11_SP3/
spacewalk-tools
>
> 2. Step two applies to SLES 12, not to SLES 11. (I learned about that
from this forum). These are the modified steps:
> a. wget http://corp-spwalk-prod01.dtn.com/pub/RHN-ORG-TRUSTED-SSL-CERT
-O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
> b. cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
/etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem
> c. c_rehash /etc/ssl/certs/
>
> After running the c_rehash, I get the following:
>
> lrwxrwxrwx 1 root root 28 Sep 9 08:05 dcfb5746.0 ->
RHN-ORG-TRUSTED-SSL-CERT.pem
>
> I'm assuming that this is what I should see.
>
> These are the same steps that I used in my testing. Is there something
wrong with the cert?
>
> Thanks
>
> Daryl
>
> ________________________________________
> From: spacewalk-list-bounces at redhat.com
<spacewalk-list-bounces at redhat.com> on behalf of Avi Miller
<avi.miller at oracle.com>
> Sent: Tuesday, September 8, 2015 3:39 PM
> To: spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] How to use a signed certificate?
>
> Hey Daryl,
>
>> On 9 Sep 2015, at 6:06 am, Daryl Rose <darylrose at outlook.com> wrote:
>>
>> I decided to move my SW environment into production, so I stood up a
brand new SW server and redid the signed certificate according to your
documentation. Everything works fine with the RHEL servers that I've
attached, but I'm having certificate issues with SLES.
>
> I don't think we ever tested this with SLES/OpenSUSE as that's not
covered under standard Oracle support. I've not even looked into how you
register a SLES system to Spacewalk, so I can't comment on how that
process would need to be updated for a 3rd-party certificate.
>
> However, this seems like a verification issue, so I would double-check
that you're using the correct CA certificate (RHN-ORG-TRUSTED-SSL-CERT)
and that it has the entire CA chain contained. Otherwise, the client would
not be able to verify the certificate provided by the server.
>
> Can you point me towards the appropriate documentation that outlines the
SLES registration process to Spacewalk so I can review?
>
> Thanks,
> Avi
>
> --
> Oracle <http://www.oracle.com>
> Avi Miller | Product Management Director | +61 (3) 8616 3496
> Oracle Linux and Virtualization
> 417 St Kilda Road, Melbourne, Victoria 3004 Australia
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20150911/098fd69e/attachment.htm>
More information about the Spacewalk-list
mailing list