[Spacewalk-list] Spacewalk 2.1 | SSL Certificate Invalid when using HTTPS for host registration
Francis Lee Mondia
endace.francis.mondia at gmail.com
Mon Jul 17 09:58:29 UTC 2017
Hi Vipul,
Thanks for the response.
Still the same, I'm failing on step 8 on this guide (https://github.com/
spacewalkproject/spacewalk/wiki/ChangeCaCert):
[root at spw01 ~]# rhn-ssl-dbstore -vvv --ca-cert /root/ssl-build/RHN-ORG-
TRUSTED-SSL-CERT
Public CA SSL certificate: /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
ERROR: unhandled exception occurred:
Traceback (most recent call last):
File "/usr/bin/rhn-ssl-dbstore", line 43, in <module>
sys.exit(abs(mod.main() or 0))
File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/rhn_ssl_dbstore.py",
line 79, in main
satCerts.store_rhnCryptoKey(values.label, values.ca_cert,
verbosity=values.verbose)
File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
line 673, in store_rhnCryptoKey
verbosity=verbosity)
File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
line 614, in _checkCertMatch_rhnCryptoKey
h.execute(rhn_cryptokey_id=rhn_cryptokey_id)
File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
line 153, in execute
return apply(self._execute_wrapper, (self._execute, ) + p, kw)
File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
line 290, in _execute_wrapper
retval = apply(function, p, kw)
File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
line 207, in _execute
return self._execute_(args, kwargs)
File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
line 309, in _execute_
self._real_cursor.execute(self.sql, params)
psycopg2.IntegrityError: update or delete on table "rhncryptokey" violates
foreign key constraint "rhn_csssl_cacertid_fk" on table
"rhncontentsourcessl"
DETAIL: Key (id)=(1) is still referenced from table "rhncontentsourcessl".
I think the issue is because the server's RHNS-CA-CERT is expired. I found
this [https://www.centos.org/forums/viewtopic.php?t=49388] but it's
referencing a red hat article which is for RHEL 5.
Where do I get an updated RHNS-CA-CERT?
On Sun, Jul 16, 2017 at 10:53 AM, Vipul Sharma (GDC) <
sharma.vipul at in.g4s.com> wrote:
> I completely forgot one thing --
>
> *In the above given command - --set-org-unit should be same
> as --set-common-name. They should be the FQDN only.*
>
> On Sun, Jul 16, 2017 at 4:20 AM, Vipul Sharma (GDC) <
> sharma.vipul at in.g4s.com> wrote:
>
>> Hi Francis,
>>
>> In order to configure Spacewalk successfully - Follow these steps -
>>
>> Make sure your *Hostname & FQDN are same.*
>>
>> *ex - HOSTNAME = abc.abc.com <http://abc.abc.com> *
>> * FQDN = **abc.abc.com <http://abc.abc.com>*
>>
>> *Now,*
>>
>> Regenerate all the Certs & Keys --
>>
>> ** First change the hostname to FQDN*
>>
>> /usr/bin/rhn-ssl-tool --gen-ca --set-country="abc" --set-state="abc"
>> --set-city="abc" --set-org="abc" --set-org-unit="abc.com"
>> --set-common-name="abc" --set-email="admin.com" --force
>>
>> **To generate new web-server keys --*
>>
>> /usr/bin/rhn-ssl-tool --gen-server --set-country="abc" --set-state="abc"
>> --set-city="abc" --set-org="abc" --set-org-unit="abc.com" --set-email="
>> admin.com"
>>
>> **How to update the changes made to CA and web-server --*
>>
>> https://github.com/spacewalkproject/spacewalk/wiki/ChangeCaCert
>>
>> Thanks
>> V
>>
>> On Sun, Jul 16, 2017 at 2:00 AM, Francis Lee Mondia <
>> endace.francis.mondia at gmail.com> wrote:
>>
>>> Hi Michael,
>>>
>>> Thanks for the reply!
>>>
>>> On the following suggestions:
>>> 1. Upgrade to latest version - definitely but I want to settle the SSL
>>> issue first (might just do this next week though if SSL isn't resolved)
>>> 2. Spacewalk-hostname-rename
>>> - I've done this but haven't resolved the issue. Had to google how to
>>> install the certificate which led me to https://access.redhat.com/solu
>>> tions/10809
>>> - Followed that guide in just installing the certificate (copying rpms,
>>> re-installing, etc) but decided to do the the whole shebang instead after
>>> encountering the same issue
>>> - now I'm stuck with this:
>>>
>>> [root at spacewalkserver ~]# rhn-ssl-dbstore --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
>>> -vvvvvvvv
>>> Public CA SSL certificate: /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
>>> Nothing to do: certificate to be pushed matches certificate in database.
>>> Nothing to do: certificate to be pushed matches certificate in database.
>>>
>>> ERROR: unhandled exception occurred:
>>> Traceback (most recent call last):
>>> File "/usr/bin/rhn-ssl-dbstore", line 43, in <module>
>>> sys.exit(abs(mod.main() or 0))
>>> File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/rhn_ssl_dbstore.py",
>>> line 79, in main
>>> satCerts.store_rhnCryptoKey(values.label, values.ca_cert,
>>> verbosity=values.verbose)
>>> File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>>> line 673, in store_rhnCryptoKey
>>> verbosity=verbosity)
>>> File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>>> line 614, in _checkCertMatch_rhnCryptoKey
>>> h.execute(rhn_cryptokey_id=rhn_cryptokey_id)
>>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>>> line 153, in execute
>>> return apply(self._execute_wrapper, (self._execute, ) + p, kw)
>>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
>>> line 290, in _execute_wrapper
>>> retval = apply(function, p, kw)
>>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>>> line 207, in _execute
>>> return self._execute_(args, kwargs)
>>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
>>> line 309, in _execute_
>>> self._real_cursor.execute(self.sql, params)
>>> psycopg2.IntegrityError: update or delete on table "rhncryptokey"
>>> violates foreign key constraint "rhn_csssl_cacertid_fk" on table
>>> "rhncontentsourcessl"
>>> DETAIL: Key (id)=(1) is still referenced from table
>>> "rhncontentsourcessl".
>>>
>>>
>>> - I've found this: [https://www.redhat.com/archiv
>>> es/spacewalk-list/2016-January/msg00046.html] which states I should
>>> remove the assignment first. THIS I DON'T KNOW HOW TO DO.
>>> - I think it's this [http://gatwards.org/techblog/
>>> replacing-spacewalk-ssl-certificates] shows how to do it but I'm
>>> adamant to delete the only pair on it. I've deleted all expired certs
>>> before.
>>>
>>> Thanks in advance.
>>>
>>> Kind regards,
>>> Francis
>>>
>>> On Fri, Jul 14, 2017 at 11:35 PM, Michael Mraka <
>>> michael.mraka at redhat.com> wrote:
>>>
>>>> Francis Lee Mondia:
>>>> > Hi All,
>>>> >
>>>> > Sorry for this seemingly noob question but I'm new to spacewalk and
>>>> just
>>>> > inherited a system which was not being used for about 2 years and now
>>>> I've
>>>> > been tasked to revive it.
>>>>
>>>> Hi,
>>>>
>>>> First of all I'd suggest upgrade to latest Spacewalk (2.6) because there
>>>> were a lot of bugs fixed since then (including security issues).
>>>>
>>>> > So I've got the system running, updated the channels, repos and now
>>>> came
>>>> > the process of re-adding hosts to the system. I was being shown the
>>>> SSL
>>>> > certicate error as I think the certificate has expired. I can register
>>>> > hosts fine without SSL, and can push package updates to hosts fine
>>>> without
>>>> > it. I do want to resolve this though moving forward. I've tried the
>>>> > numerous suggestions I can find (we have a red hat subscription so
>>>> was able
>>>> > to try their solutions too but none worked).
>>>>
>>>> Install spacewalk-utils package and run spacewalk-hostname-rename
>>>> script.
>>>> It will regenerate all SSL certs.
>>>>
>>>> > I'd also like to know though if upgrading spacewalk to a newer version
>>>> > install a new SSL cert. When we first took a look at the system, we
>>>>
>>>> AFAIR upgrade will not change SSL certs.
>>>>
>>>> > couldn't log-in as the satellite certificate was expired and we had to
>>>> > generate one from red hat support to be able to log back in.
>>>> >
>>>> > Hoping for some guidance on this from the community.
>>>> >
>>>> > Kind regards,
>>>> > Francis
>>>>
>>>> Regards,
>>>>
>>>>
>>>> --
>>>> Michael Mráka
>>>> System Management Engineering, Red Hat
>>>>
>>>> _______________________________________________
>>>> Spacewalk-list mailing list
>>>> Spacewalk-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>>
>>>
>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>
>>
>
>
> Please consider the environment before printing this email.
> *********************************************************************
> This communication may contain information which is confidential, personal
> and/or privileged. It is for the exclusive use of the intended recipient(s).
> If you are not the intended recipient(s), please note that any
> distribution, forwarding, copying or use of this communication or the
> information in it is strictly prohibited. If you have received it in error
> please contact the sender immediately by return e-mail. Please then delete
> the e-mail and any copies of it and do not use or disclose its contents to
> any person.
> Any personal views expressed in this e-mail are those of the individual
> sender and the company does not endorse or accept responsibility for them.
> Prior to taking any action based upon this e-mail message, you should seek
> appropriate confirmation of its authenticity.
> This message has been checked for viruses on behalf of the company.
> *********************************************************************
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20170717/732c9fcf/attachment.htm>
More information about the Spacewalk-list
mailing list