[Spacewalk-list] Spacewalk 2.1 | SSL Certificate Invalid when using HTTPS for host registration
Robert Paschedag
robert.paschedag at web.de
Mon Jul 17 16:36:35 UTC 2017
Am 17. Juli 2017 16:16:50 MESZ schrieb "Paschedag, Robert" <paschedag.netlution at swr.de>:
>The credentials for the postgres db should be stored within
>/etc/rhn/rhn.conf on the satellite server.
>
>By default, this is
>
>User: rhnuser
>PW: rhnpw
>DB: rhnschema
>
>So..switching to user postgres
>
>Su – postgres
>
>And
>
>psql -U <user> -d <DB>
>
>and entering password should give you access.
>
>There is also a command to “set” the password
>
>
>
>
>Mit freundlichen Grüßen
>
>Robert Paschedag
>Netlution GmbH
>Landteilstr. 33
>68163 Mannheim
>
>im Auftrag des
>SWR
>Südwestrundfunk
>HA IT, Medientechnik und Programmverbreitung
>Neckarstraße 230
>70190 Stuttgart
>
>Telefon +49 (0)711 /929-12654 oder
>Telefon +49 (0)711 /929-13714
>paschedag.netlution at swr.de
>
>swr.de
>
>Von: spacewalk-list-bounces at redhat.com
>[mailto:spacewalk-list-bounces at redhat.com] Im Auftrag von Vipul Sharma
>(GDC)
>Gesendet: Montag, 17. Juli 2017 14:12
>An: Francis Lee Mondia <endace.francis.mondia at gmail.com>
>Cc: spacewalk-list at redhat.com
>Betreff: Re: [Spacewalk-list] Spacewalk 2.1 | SSL Certificate Invalid
>when using HTTPS for host registration
>
>Hey,
>Do you remember the password you used when creating the DB - Please try
>this password given below -
>
>Database - spaceschema
>
>Username - spaceuser
>
>Password - spacepw
>
>
>#psql DBNAME USERNAME
>
>On Mon, Jul 17, 2017 at 4:45 PM, Francis Lee Mondia
><endace.francis.mondia at gmail.com<mailto:endace.francis.mondia at gmail.com>>
>wrote:
>Hi Vipul,
>
>Yes, the service is running as evidenced by the output. The problem as
>shown in the error message was that postgres actually can't update or
>delete the table stated due to a foreign key constraint validation on a
>table.
>
>There's a post on the list about it and the recommendation was to
>remove it. Any ideas how to remove it from the DB? I'd actually like to
>log-in to postgres and delete this key being referenced (assuming I
>know the password for postgres).
>
>Kind regards,
>Francis
>
>On Mon, Jul 17, 2017 at 10:23 PM, Vipul Sharma (GDC)
><sharma.vipul at in.g4s.com<mailto:sharma.vipul at in.g4s.com>> wrote:
>Hey,
>When you are running step 8 - Make sure spacewalk service is running,
>I'm hoping you've must have stopped the service. Service is important
>to push the data to postgres.
>Thanks
> V
>
>On Mon, Jul 17, 2017 at 3:28 PM, Francis Lee Mondia
><endace.francis.mondia at gmail.com<mailto:endace.francis.mondia at gmail.com>>
>wrote:
>Hi Vipul,
>
>Thanks for the response.
>
>Still the same, I'm failing on step 8 on this guide
>(https://github.com/spacewalkproject/spacewalk/wiki/ChangeCaCert<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fspacewalkproject%2Fspacewalk%2Fwiki%2FChangeCaCert&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948648506&sdata=6uTbKGUyx0DTFigKnfdy2kpc2bbLjoESTWBn%2BucL9to%3D&reserved=0>):
>
>[root at spw01 ~]# rhn-ssl-dbstore -vvv --ca-cert
>/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
>Public CA SSL certificate: /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
>
>ERROR: unhandled exception occurred:
>Traceback (most recent call last):
> File "/usr/bin/rhn-ssl-dbstore", line 43, in <module>
> sys.exit(abs(mod.main() or 0))
>File
>"/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/rhn_ssl_dbstore.py",
>line 79, in main
>satCerts.store_rhnCryptoKey(values.label, values.ca_cert,
>verbosity=values.verbose)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>line 673, in store_rhnCryptoKey
> verbosity=verbosity)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>line 614, in _checkCertMatch_rhnCryptoKey
> h.execute(rhn_cryptokey_id=rhn_cryptokey_id)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>line 153, in execute
> return apply(self._execute_wrapper, (self._execute, ) + p, kw)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
>line 290, in _execute_wrapper
> retval = apply(function, p, kw)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>line 207, in _execute
> return self._execute_(args, kwargs)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
>line 309, in _execute_
> self._real_cursor.execute(self.sql, params)
>psycopg2.IntegrityError: update or delete on table "rhncryptokey"
>violates foreign key constraint "rhn_csssl_cacertid_fk" on table
>"rhncontentsourcessl"
>DETAIL: Key (id)=(1) is still referenced from table
>"rhncontentsourcessl".
>
>
>I think the issue is because the server's RHNS-CA-CERT is expired. I
>found this
>[https://www.centos.org/forums/viewtopic.php?t=49388<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.centos.org%2Fforums%2Fviewtopic.php%3Ft%3D49388&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948648506&sdata=aahJV2c4U9lhprmcK0t105rV6DLA6Gb7frlWWQUciA0%3D&reserved=0>]
>but it's referencing a red hat article which is for RHEL 5.
>
>Where do I get an updated RHNS-CA-CERT?
>
>On Sun, Jul 16, 2017 at 10:53 AM, Vipul Sharma (GDC)
><sharma.vipul at in.g4s.com<mailto:sharma.vipul at in.g4s.com>> wrote:
>I completely forgot one thing --
>
>In the above given command - --set-org-unit should be same as
>--set-common-name. They should be the FQDN only.
>
>On Sun, Jul 16, 2017 at 4:20 AM, Vipul Sharma (GDC)
><sharma.vipul at in.g4s.com<mailto:sharma.vipul at in.g4s.com>> wrote:
>Hi Francis,
>
>In order to configure Spacewalk successfully - Follow these steps -
>
>Make sure your Hostname & FQDN are same.
>
>ex - HOSTNAME =
>abc.abc.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.abc.com&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948648506&sdata=VkXU9aiUQv7Ozusm1hYoZjkjdtmNIe80keWpY3Lb9vw%3D&reserved=0>
>FQDN =
>abc.abc.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.abc.com&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=Npd3Evj28Im5AkpcqdE3jYToagiDzUUOgxR3RTqHplI%3D&reserved=0>
>
>Now,
>
>Regenerate all the Certs & Keys --
>
>* First change the hostname to FQDN
>
>/usr/bin/rhn-ssl-tool --gen-ca --set-country="abc" --set-state="abc"
>--set-city="abc" --set-org="abc"
>--set-org-unit="abc.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.com&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=IeWBvGsEH7IoYaHm74tn8Y1r9YOUFcoVhYQYLEmsxdM%3D&reserved=0>"
>--set-common-name="abc"
>--set-email="admin.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fadmin.com&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=Orc0yjfy2ky0BuNN1HXD6CKD1mLwtRnXtq7UFVONyT0%3D&reserved=0>"
>--force
>
>*To generate new web-server keys --
>
>/usr/bin/rhn-ssl-tool --gen-server --set-country="abc"
>--set-state="abc" --set-city="abc" --set-org="abc"
>--set-org-unit="abc.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.com&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=IeWBvGsEH7IoYaHm74tn8Y1r9YOUFcoVhYQYLEmsxdM%3D&reserved=0>"
>--set-email="admin.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fadmin.com&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=Orc0yjfy2ky0BuNN1HXD6CKD1mLwtRnXtq7UFVONyT0%3D&reserved=0>"
>
>*How to update the changes made to CA and web-server --
>
>https://github.com/spacewalkproject/spacewalk/wiki/ChangeCaCert<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fspacewalkproject%2Fspacewalk%2Fwiki%2FChangeCaCert&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=uCijKeCu2h4oEINDB7vqfknIdpFPYndnFqVZ%2B5Cr2DA%3D&reserved=0>
>
>Thanks
> V
>
>On Sun, Jul 16, 2017 at 2:00 AM, Francis Lee Mondia
><endace.francis.mondia at gmail.com<mailto:endace.francis.mondia at gmail.com>>
>wrote:
>Hi Michael,
>
>Thanks for the reply!
>
>On the following suggestions:
>1. Upgrade to latest version - definitely but I want to settle the SSL
>issue first (might just do this next week though if SSL isn't resolved)
>2. Spacewalk-hostname-rename
>- I've done this but haven't resolved the issue. Had to google how to
>install the certificate which led me to
>https://access.redhat.com/solutions/10809<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsolutions%2F10809&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=kapJlAemcHWzc%2B3yMpcvzs2lq4JFZaR%2BmReUQpv%2FIdc%3D&reserved=0>
>- Followed that guide in just installing the certificate (copying
>rpms, re-installing, etc) but decided to do the the whole shebang
>instead after encountering the same issue
>- now I'm stuck with this:
>
>[root at spacewalkserver ~]# rhn-ssl-dbstore
>--ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT -vvvvvvvv
>Public CA SSL certificate: /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
>Nothing to do: certificate to be pushed matches certificate in
>database.
>Nothing to do: certificate to be pushed matches certificate in
>database.
>
>ERROR: unhandled exception occurred:
>Traceback (most recent call last):
> File "/usr/bin/rhn-ssl-dbstore", line 43, in <module>
> sys.exit(abs(mod.main() or 0))
>File
>"/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/rhn_ssl_dbstore.py",
>line 79, in main
>satCerts.store_rhnCryptoKey(values.label, values.ca_cert,
>verbosity=values.verbose)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>line 673, in store_rhnCryptoKey
> verbosity=verbosity)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/satCerts.py",
>line 614, in _checkCertMatch_rhnCryptoKey
> h.execute(rhn_cryptokey_id=rhn_cryptokey_id)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>line 153, in execute
> return apply(self._execute_wrapper, (self._execute, ) + p, kw)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
>line 290, in _execute_wrapper
> retval = apply(function, p, kw)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/sql_base.py",
>line 207, in _execute
> return self._execute_(args, kwargs)
>File
>"/usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/driver_postgresql.py",
>line 309, in _execute_
> self._real_cursor.execute(self.sql, params)
>psycopg2.IntegrityError: update or delete on table "rhncryptokey"
>violates foreign key constraint "rhn_csssl_cacertid_fk" on table
>"rhncontentsourcessl"
>DETAIL: Key (id)=(1) is still referenced from table
>"rhncontentsourcessl".
>
>
>- I've found this:
>[https://www.redhat.com/archives/spacewalk-list/2016-January/msg00046.html<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2F2016-January%2Fmsg00046.html&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=aObzHeFK8Cnmze6MkZeMTptWi%2BUK6CJyqvwRi8hBJkQ%3D&reserved=0>]
>which states I should remove the assignment first. THIS I DON'T KNOW
>HOW TO DO.
>- I think it's this
>[http://gatwards.org/techblog/replacing-spacewalk-ssl-certificates<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgatwards.org%2Ftechblog%2Freplacing-spacewalk-ssl-certificates&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=Nfw6HCtk99eotgWR%2Bsh5DxM0UUKUrh21Z3wOTH24kcQ%3D&reserved=0>]
>shows how to do it but I'm adamant to delete the only pair on it. I've
>deleted all expired certs before.
>
>Thanks in advance.
>
>Kind regards,
>Francis
>
>On Fri, Jul 14, 2017 at 11:35 PM, Michael Mraka
><michael.mraka at redhat.com<mailto:michael.mraka at redhat.com>> wrote:
>Francis Lee Mondia:
>> Hi All,
>>
>> Sorry for this seemingly noob question but I'm new to spacewalk and
>just
>> inherited a system which was not being used for about 2 years and now
>I've
>> been tasked to revive it.
>
>Hi,
>
>First of all I'd suggest upgrade to latest Spacewalk (2.6) because
>there
>were a lot of bugs fixed since then (including security issues).
>
>> So I've got the system running, updated the channels, repos and now
>came
>> the process of re-adding hosts to the system. I was being shown the
>SSL
>> certicate error as I think the certificate has expired. I can
>register
>> hosts fine without SSL, and can push package updates to hosts fine
>without
>> it. I do want to resolve this though moving forward. I've tried the
>> numerous suggestions I can find (we have a red hat subscription so
>was able
>> to try their solutions too but none worked).
>
>Install spacewalk-utils package and run spacewalk-hostname-rename
>script.
>It will regenerate all SSL certs.
>
>> I'd also like to know though if upgrading spacewalk to a newer
>version
>> install a new SSL cert. When we first took a look at the system, we
>
>AFAIR upgrade will not change SSL certs.
>
>> couldn't log-in as the satellite certificate was expired and we had
>to
>> generate one from red hat support to be able to log back in.
>>
>> Hoping for some guidance on this from the community.
>>
>> Kind regards,
>> Francis
>
>Regards,
>
>
>--
>Michael Mráka
>System Management Engineering, Red Hat
>
>_______________________________________________
>Spacewalk-list mailing list
>Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
>https://www.redhat.com/mailman/listinfo/spacewalk-list<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=8wAw4%2BnmfT7kGNPIyFYDK64dBe3zs5vDIr8YFI%2BmS7c%3D&reserved=0>
>
>
>_______________________________________________
>Spacewalk-list mailing list
>Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
>https://www.redhat.com/mailman/listinfo/spacewalk-list<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7CPaschedag.Netlution%40swr.de%7Cc7d92ced12154370d03a08d4cd0d31db%7Cbcca095d88d442f88260cc216b81f62d%7C0%7C0%7C636358903948658518&sdata=8wAw4%2BnmfT7kGNPIyFYDK64dBe3zs5vDIr8YFI%2BmS7c%3D&reserved=0>
>
>
>
>
>Please consider the environment before printing this email.
>*********************************************************************
>This communication may contain information which is confidential,
>personal and/or privileged. It is for the exclusive use of the intended
>recipient(s).
>If you are not the intended recipient(s), please note that any
>distribution, forwarding, copying or use of this communication or the
>information in it is strictly prohibited. If you have received it in
>error please contact the sender immediately by return e-mail. Please
>then delete the e-mail and any copies of it and do not use or disclose
>its contents to any person.
>Any personal views expressed in this e-mail are those of the individual
>sender and the company does not endorse or accept responsibility for
>them. Prior to taking any action based upon this e-mail message, you
>should seek appropriate confirmation of its authenticity.
>This message has been checked for viruses on behalf of the company.
>*********************************************************************
>
>
>
>
>Please consider the environment before printing this email.
>*********************************************************************
>This communication may contain information which is confidential,
>personal and/or privileged. It is for the exclusive use of the intended
>recipient(s).
>If you are not the intended recipient(s), please note that any
>distribution, forwarding, copying or use of this communication or the
>information in it is strictly prohibited. If you have received it in
>error please contact the sender immediately by return e-mail. Please
>then delete the e-mail and any copies of it and do not use or disclose
>its contents to any person.
>Any personal views expressed in this e-mail are those of the individual
>sender and the company does not endorse or accept responsibility for
>them. Prior to taking any action based upon this e-mail message, you
>should seek appropriate confirmation of its authenticity.
>This message has been checked for viruses on behalf of the company.
>*********************************************************************
>
>
>
>
>Please consider the environment before printing this email.
>*********************************************************************
>This communication may contain information which is confidential,
>personal and/or privileged. It is for the exclusive use of the intended
>recipient(s).
>If you are not the intended recipient(s), please note that any
>distribution, forwarding, copying or use of this communication or the
>information in it is strictly prohibited. If you have received it in
>error please contact the sender immediately by return e-mail. Please
>then delete the e-mail and any copies of it and do not use or disclose
>its contents to any person.
>Any personal views expressed in this e-mail are those of the individual
>sender and the company does not endorse or accept responsibility for
>them. Prior to taking any action based upon this e-mail message, you
>should seek appropriate confirmation of its authenticity.
>This message has been checked for viruses on behalf of the company.
>*********************************************************************
But just another information. When you get a SSL error from the client, then you have to check the SSL certificate on the "webserver"!
Robert
More information about the Spacewalk-list
mailing list