[Spacewalk-list] Spacewalk 2.1 | SSL Certificate Invalid when using HTTPS for host registration
Francis Lee Mondia
endace.francis.mondia at gmail.com
Mon Jul 17 11:15:05 UTC 2017
Hi Vipul,
Yes, the service is running as evidenced by the output. The problem as
shown in the error message was that postgres actually can't update or
delete the table stated due to a foreign key constraint validation on a
table.
There's a post on the list about it and the recommendation was to remove
it. Any ideas how to remove it from the DB? I'd actually like to log-in to
postgres and delete this key being referenced (assuming I know the password
for postgres).
Kind regards,
Francis
On Mon, Jul 17, 2017 at 10:23 PM, Vipul Sharma (GDC) <
sharma.vipul at in.g4s.com> wrote:
> Hey,
>
> When you are running step 8 - Make sure spacewalk service is running, I'm
> hoping you've must have stopped the service. Service is important to push
> the data to postgres.
>
> Thanks
> V
>
> On Mon, Jul 17, 2017 at 3:28 PM, Francis Lee Mondia <
> endace.francis.mondia at gmail.com> wrote:
>
>> Hi Vipul,
>>
>> Thanks for the response.
>>
>> Still the same, I'm failing on step 8 on this guide (
>> https://github.com/spacewalkproject/spacewalk/wiki/ChangeCaCert):
>>
>> [root at spw01 ~]# rhn-ssl-dbstore -vvv --ca-cert
>> /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
>> Public CA SSL certificate: /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
>>
>> ERROR: unhandled exception occurred:
>> Traceback (most recent call last):
>> File "/usr/bin/rhn-ssl-dbstore", line 43, in <module>
>> sys.exit(abs(mod.main() or 0))
>> File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/rhn_ssl_dbstore.py",
>> line 79, in main
>> satCerts.store_rhnCryptoKey(values.label, values.ca_cert,
>> verbosity=values.verbose)
>> File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>> line 673, in store_rhnCryptoKey
>> verbosity=verbosity)
>> File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>> line 614, in _checkCertMatch_rhnCryptoKey
>> h.execute(rhn_cryptokey_id=rhn_cryptokey_id)
>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>> line 153, in execute
>> return apply(self._execute_wrapper, (self._execute, ) + p, kw)
>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
>> line 290, in _execute_wrapper
>> retval = apply(function, p, kw)
>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>> line 207, in _execute
>> return self._execute_(args, kwargs)
>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
>> line 309, in _execute_
>> self._real_cursor.execute(self.sql, params)
>> psycopg2.IntegrityError: update or delete on table "rhncryptokey"
>> violates foreign key constraint "rhn_csssl_cacertid_fk" on table
>> "rhncontentsourcessl"
>> DETAIL: Key (id)=(1) is still referenced from table
>> "rhncontentsourcessl".
>>
>>
>> I think the issue is because the server's RHNS-CA-CERT is expired. I
>> found this [https://www.centos.org/forums/viewtopic.php?t=49388] but
>> it's referencing a red hat article which is for RHEL 5.
>>
>> Where do I get an updated RHNS-CA-CERT?
>>
>> On Sun, Jul 16, 2017 at 10:53 AM, Vipul Sharma (GDC) <
>> sharma.vipul at in.g4s.com> wrote:
>>
>>> I completely forgot one thing --
>>>
>>> *In the above given command - --set-org-unit should be same
>>> as --set-common-name. They should be the FQDN only.*
>>>
>>> On Sun, Jul 16, 2017 at 4:20 AM, Vipul Sharma (GDC) <
>>> sharma.vipul at in.g4s.com> wrote:
>>>
>>>> Hi Francis,
>>>>
>>>> In order to configure Spacewalk successfully - Follow these steps -
>>>>
>>>> Make sure your *Hostname & FQDN are same.*
>>>>
>>>> *ex - HOSTNAME = abc.abc.com <http://abc.abc.com> *
>>>> * FQDN = **abc.abc.com <http://abc.abc.com>*
>>>>
>>>> *Now,*
>>>>
>>>> Regenerate all the Certs & Keys --
>>>>
>>>> ** First change the hostname to FQDN*
>>>>
>>>> /usr/bin/rhn-ssl-tool --gen-ca --set-country="abc" --set-state="abc"
>>>> --set-city="abc" --set-org="abc" --set-org-unit="abc.com"
>>>> --set-common-name="abc" --set-email="admin.com" --force
>>>>
>>>> **To generate new web-server keys --*
>>>>
>>>> /usr/bin/rhn-ssl-tool --gen-server --set-country="abc"
>>>> --set-state="abc" --set-city="abc" --set-org="abc" --set-org-unit="
>>>> abc.com" --set-email="admin.com"
>>>>
>>>> **How to update the changes made to CA and web-server --*
>>>>
>>>> https://github.com/spacewalkproject/spacewalk/wiki/ChangeCaCert
>>>>
>>>> Thanks
>>>> V
>>>>
>>>> On Sun, Jul 16, 2017 at 2:00 AM, Francis Lee Mondia <
>>>> endace.francis.mondia at gmail.com> wrote:
>>>>
>>>>> Hi Michael,
>>>>>
>>>>> Thanks for the reply!
>>>>>
>>>>> On the following suggestions:
>>>>> 1. Upgrade to latest version - definitely but I want to settle the SSL
>>>>> issue first (might just do this next week though if SSL isn't resolved)
>>>>> 2. Spacewalk-hostname-rename
>>>>> - I've done this but haven't resolved the issue. Had to google how to
>>>>> install the certificate which led me to https://access.redhat.com/solu
>>>>> tions/10809
>>>>> - Followed that guide in just installing the certificate (copying
>>>>> rpms, re-installing, etc) but decided to do the the whole shebang instead
>>>>> after encountering the same issue
>>>>> - now I'm stuck with this:
>>>>>
>>>>> [root at spacewalkserver ~]# rhn-ssl-dbstore
>>>>> --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT -vvvvvvvv
>>>>> Public CA SSL certificate: /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
>>>>> Nothing to do: certificate to be pushed matches certificate in
>>>>> database.
>>>>> Nothing to do: certificate to be pushed matches certificate in
>>>>> database.
>>>>>
>>>>> ERROR: unhandled exception occurred:
>>>>> Traceback (most recent call last):
>>>>> File "/usr/bin/rhn-ssl-dbstore", line 43, in <module>
>>>>> sys.exit(abs(mod.main() or 0))
>>>>> File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/rhn_ssl_dbstore.py",
>>>>> line 79, in main
>>>>> satCerts.store_rhnCryptoKey(values.label, values.ca_cert,
>>>>> verbosity=values.verbose)
>>>>> File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>>>>> line 673, in store_rhnCryptoKey
>>>>> verbosity=verbosity)
>>>>> File "/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>>>>> line 614, in _checkCertMatch_rhnCryptoKey
>>>>> h.execute(rhn_cryptokey_id=rhn_cryptokey_id)
>>>>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>>>>> line 153, in execute
>>>>> return apply(self._execute_wrapper, (self._execute, ) + p, kw)
>>>>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
>>>>> line 290, in _execute_wrapper
>>>>> retval = apply(function, p, kw)
>>>>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>>>>> line 207, in _execute
>>>>> return self._execute_(args, kwargs)
>>>>> File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
>>>>> line 309, in _execute_
>>>>> self._real_cursor.execute(self.sql, params)
>>>>> psycopg2.IntegrityError: update or delete on table "rhncryptokey"
>>>>> violates foreign key constraint "rhn_csssl_cacertid_fk" on table
>>>>> "rhncontentsourcessl"
>>>>> DETAIL: Key (id)=(1) is still referenced from table
>>>>> "rhncontentsourcessl".
>>>>>
>>>>>
>>>>> - I've found this: [https://www.redhat.com/archiv
>>>>> es/spacewalk-list/2016-January/msg00046.html] which states I should
>>>>> remove the assignment first. THIS I DON'T KNOW HOW TO DO.
>>>>> - I think it's this [http://gatwards.org/techblog/
>>>>> replacing-spacewalk-ssl-certificates] shows how to do it but I'm
>>>>> adamant to delete the only pair on it. I've deleted all expired certs
>>>>> before.
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>> Kind regards,
>>>>> Francis
>>>>>
>>>>> On Fri, Jul 14, 2017 at 11:35 PM, Michael Mraka <
>>>>> michael.mraka at redhat.com> wrote:
>>>>>
>>>>>> Francis Lee Mondia:
>>>>>> > Hi All,
>>>>>> >
>>>>>> > Sorry for this seemingly noob question but I'm new to spacewalk and
>>>>>> just
>>>>>> > inherited a system which was not being used for about 2 years and
>>>>>> now I've
>>>>>> > been tasked to revive it.
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> First of all I'd suggest upgrade to latest Spacewalk (2.6) because
>>>>>> there
>>>>>> were a lot of bugs fixed since then (including security issues).
>>>>>>
>>>>>> > So I've got the system running, updated the channels, repos and now
>>>>>> came
>>>>>> > the process of re-adding hosts to the system. I was being shown the
>>>>>> SSL
>>>>>> > certicate error as I think the certificate has expired. I can
>>>>>> register
>>>>>> > hosts fine without SSL, and can push package updates to hosts fine
>>>>>> without
>>>>>> > it. I do want to resolve this though moving forward. I've tried the
>>>>>> > numerous suggestions I can find (we have a red hat subscription so
>>>>>> was able
>>>>>> > to try their solutions too but none worked).
>>>>>>
>>>>>> Install spacewalk-utils package and run spacewalk-hostname-rename
>>>>>> script.
>>>>>> It will regenerate all SSL certs.
>>>>>>
>>>>>> > I'd also like to know though if upgrading spacewalk to a newer
>>>>>> version
>>>>>> > install a new SSL cert. When we first took a look at the system, we
>>>>>>
>>>>>> AFAIR upgrade will not change SSL certs.
>>>>>>
>>>>>> > couldn't log-in as the satellite certificate was expired and we had
>>>>>> to
>>>>>> > generate one from red hat support to be able to log back in.
>>>>>> >
>>>>>> > Hoping for some guidance on this from the community.
>>>>>> >
>>>>>> > Kind regards,
>>>>>> > Francis
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Michael Mráka
>>>>>> System Management Engineering, Red Hat
>>>>>>
>>>>>> _______________________________________________
>>>>>> Spacewalk-list mailing list
>>>>>> Spacewalk-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Spacewalk-list mailing list
>>>>> Spacewalk-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>>>
>>>>
>>>>
>>>
>>>
>>> Please consider the environment before printing this email.
>>> *********************************************************************
>>> This communication may contain information which is confidential,
>>> personal and/or privileged. It is for the exclusive use of the intended
>>> recipient(s).
>>> If you are not the intended recipient(s), please note that any
>>> distribution, forwarding, copying or use of this communication or the
>>> information in it is strictly prohibited. If you have received it in error
>>> please contact the sender immediately by return e-mail. Please then delete
>>> the e-mail and any copies of it and do not use or disclose its contents to
>>> any person.
>>> Any personal views expressed in this e-mail are those of the individual
>>> sender and the company does not endorse or accept responsibility for them.
>>> Prior to taking any action based upon this e-mail message, you should seek
>>> appropriate confirmation of its authenticity.
>>> This message has been checked for viruses on behalf of the company.
>>> *********************************************************************
>>>
>>>
>>
>
>
> Please consider the environment before printing this email.
> *********************************************************************
> This communication may contain information which is confidential, personal
> and/or privileged. It is for the exclusive use of the intended recipient(s).
> If you are not the intended recipient(s), please note that any
> distribution, forwarding, copying or use of this communication or the
> information in it is strictly prohibited. If you have received it in error
> please contact the sender immediately by return e-mail. Please then delete
> the e-mail and any copies of it and do not use or disclose its contents to
> any person.
> Any personal views expressed in this e-mail are those of the individual
> sender and the company does not endorse or accept responsibility for them.
> Prior to taking any action based upon this e-mail message, you should seek
> appropriate confirmation of its authenticity.
> This message has been checked for viruses on behalf of the company.
> *********************************************************************
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20170717/008658a0/attachment.htm>
More information about the Spacewalk-list
mailing list