[Spacewalk-list] More Spacewalk 26 Certificate Problems....can't get 3rd party cert to work with osa-dispatcher and jabber

Wed Jun 7 16:58:49 UTC 2017

I've really beat myself into the ground with this for 3 days now and am 
stumped.

Situation:  I've been running two Spacewalk servers for a while now, brought 
them from 2.4 to 2.6.

I've just built a new one to move everything to, running 2.6.  Vanilla build, 
tested and working, bootstrapped clients, pushed configurations, osad and osa-
dispatcher running fine.  This is a clean 2.6 install, not an upgrade.

 Company policy recently changed and no more self-signed certs allowed.

Got my new certs.  There are multiple conflicting documents on doing this.  
Like serious discrepancies.  Some have you replace/change the jabber 
server.pem files, and some don't address it at all.

I primarily used these two docs to perform the install (I could not find a 2.6 
specific doc):

Oracle doc for 2.2 
https://docs.oracle.com/cd/E37670_01/E64575/html/swk22-replace-cert.html

Redhat Doc (Dated April 2017, for Satellite 5.4 and later -> should cover 2.6 

https://access.redhat.com/solutions/15753

The Oracle doc and most of the other docs do not address the server.pem file 
for Jabber at all, just has you clear the jabber db and restart.

The Redhat doc says this:

# cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem
 # cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem
  # cp /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem

So now that we have the background....I'm getting a TLS error on start up:

Starting osa-dispatcher: Spacewalk 14899 2017/06/07 09:37:27 -07:00: ('Server 
does not support TLS - <starttls /> not in <features /> stanza',)

Searching this list, and googling leads me to this Red Hat document:

https://access.redhat.com/solutions/24937

Now, that document clearly says that the MD5sums for all of the jabber 
server.pem files should match........but if you follow the directions in the 
Redhat guide for setting it up...they cannot match.  I've tried it both 
ways.....same error.

I've gone through all the other troubleshooting, the CN matches FQDN and all 
that.

Everything but osa-dispatcher seems to work, the Web UI, I can boostrap 
clients, I can run a remote command.....but because osad on the clients can't 
connect, I have to run "rhn_check" to get it to pick up the jobs.

I really hope somebody has some suggestions here.

Also, when I pick up my certificate, I have the following download 
options.....the cert, the cert WITH private key, the cert WITH CA Chain, or 
the cert WITH private key and CA Chain.

Now, I took the last, and split them all up into seperate files...the crt, key, 
and root chain so my install could match the directions...  Excepting dealing 
with Jabber, most of the docs are pretty similar.  Nothing in any docs 
anywhere addresses what I do with the private key.  

I have cleaned up the server, and reinstalled 2.6 to a pristine state 4 or 5 
times now and tried various different variations, all with the same result.  

I know I'm doing something wrong and I'm sure it's regarding the jabber pem 
files, but I can NOT figure it out.