[Spacewalk-list] More Spacewalk 26 Certificate Problems....can't get 3rd party cert to work with osa-dispatcher and jabber
Wilkinson, Matthew
MatthewWilkinson at alliantenergy.com
Wed Jun 7 17:45:25 UTC 2017
I did this recently on my SW 2.6 server. You should follow Red Hat's documentation on using signed SSL certs. Don't use Oracle's documentation.
I used these two website and figured out how to get it working. Once you get the server SSL working you have to redistribute the spacewalk cert to all of the clients.
https://access.redhat.com/solutions/10809
https://access.redhat.com/solutions/15753
--Matthew Wilkinson
-----Original Message-----
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Eric
Sent: Wednesday, June 07, 2017 11:59
To: spacewalk-list at redhat.com
Subject: [Spacewalk-list] More Spacewalk 26 Certificate Problems....can't get 3rd party cert to work with osa-dispatcher and jabber
[This is an external email. Be cautious with links, attachments and responses.]
**********************************************************************
I've really beat myself into the ground with this for 3 days now and am stumped.
Situation: I've been running two Spacewalk servers for a while now, brought them from 2.4 to 2.6.
I've just built a new one to move everything to, running 2.6. Vanilla build, tested and working, bootstrapped clients, pushed configurations, osad and osa- dispatcher running fine. This is a clean 2.6 install, not an upgrade.
Company policy recently changed and no more self-signed certs allowed.
Got my new certs. There are multiple conflicting documents on doing this.
Like serious discrepancies. Some have you replace/change the jabber server.pem files, and some don't address it at all.
I primarily used these two docs to perform the install (I could not find a 2.6 specific doc):
Oracle doc for 2.2
https://docs.oracle.com/cd/E37670_01/E64575/html/swk22-replace-cert.html
Redhat Doc (Dated April 2017, for Satellite 5.4 and later -> should cover 2.6
https://access.redhat.com/solutions/15753
The Oracle doc and most of the other docs do not address the server.pem file for Jabber at all, just has you clear the jabber db and restart.
The Redhat doc says this:
# cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem # cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem
# cp /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem
So now that we have the background....I'm getting a TLS error on start up:
Starting osa-dispatcher: Spacewalk 14899 2017/06/07 09:37:27 -07:00: ('Server does not support TLS - <starttls /> not in <features /> stanza',)
Searching this list, and googling leads me to this Red Hat document:
https://access.redhat.com/solutions/24937
Now, that document clearly says that the MD5sums for all of the jabber server.pem files should match........but if you follow the directions in the Redhat guide for setting it up...they cannot match. I've tried it both ways.....same error.
I've gone through all the other troubleshooting, the CN matches FQDN and all that.
Everything but osa-dispatcher seems to work, the Web UI, I can boostrap
clients, I can run a remote command.....but because osad on the clients can't
connect, I have to run "rhn_check" to get it to pick up the jobs.
I really hope somebody has some suggestions here.
Also, when I pick up my certificate, I have the following download
options.....the cert, the cert WITH private key, the cert WITH CA Chain, or
the cert WITH private key and CA Chain.
Now, I took the last, and split them all up into seperate files...the crt, key,
and root chain so my install could match the directions... Excepting dealing
with Jabber, most of the docs are pretty similar. Nothing in any docs
anywhere addresses what I do with the private key.
I have cleaned up the server, and reinstalled 2.6 to a pristine state 4 or 5
times now and tried various different variations, all with the same result.
I know I'm doing something wrong and I'm sure it's regarding the jabber pem
files, but I can NOT figure it out.
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
More information about the Spacewalk-list
mailing list