[Spacewalk-list] More Spacewalk 26 Certificate Problems....can't get 3rd party cert to work with osa-dispatcher and jabber

Wilkinson, Matthew MatthewWilkinson at alliantenergy.com
Wed Jun 7 18:30:01 UTC 2017 

If all of that stuff works, the website cert, the clients, etc. then I think you did everything right. Your osa-dispatcher issue might be a different issue?

My /etc/jabberd/server.pem md5sum matches my /etc/pki/spacewalk/jabberd/server.pem but not my /root/ssl-build/eva/server.pem

--Matthew Wilkinson


-----Original Message-----
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Eric
Sent: Wednesday, June 07, 2017 13:21
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] More Spacewalk 26 Certificate Problems....can't get 3rd party cert to work with osa-dispatcher and jabber

[This is an external email. Be cautious with links, attachments and responses.]

**********************************************************************
Thanks for the reply.

So, my question then is.........in the Redhat doc is has you do the jabber server.pem, but those directions specifically have you cat the key pair into one file.........by doing that the server.pem file will never match (md5sum) the server.pem file in the ssl-build directory....which the trouble shooting guids says it must.

My other question is........just how does Spacewalk expect the certs?  If I download the default, I get the cert, the private key, and the root chain in one single .pem file.  The docs all assume that you have just a cert file and a concatenated CA chain file.  I have pulled the actual certificate portion out of the single file (without the private key and without the root chain and saved it as server.crt in the ssl-build directory.

I have pulled all the CA certs out and saved them as the RHN-ORG-TRUSTED-SSL- CERT file.

I have not done anything with the private key file portion, as there is nothing in the docs regarding that.

Am I doing something wrong with this?  All the checks and validations show ok, and the web UI works just fine, with the web page showing the expected cert when I look at the security options.  

The ssl builds all work, the rpm's are created, everything deployes ok, I've copied it to clients......every single thing works........except osa- dispatcher.

I just cannot wrap my mind about this:

Redhat install directions:

# cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem  # cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem  # cp /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem

Redhat knowledge base article troubleshooting my EXACT error message
(https://access.redhat.com/solutions/24937):

# md5sum /root/ssl-build/<hostname>/server.pem
# md5sum /etc/pki/spacewalk/jabberd/server.pem /etc/jabberd/server.pem

If you follow the install directions, those server.pem files will never have a matching md5sum.





On Wednesday 07 June 2017 17:46:06 Wilkinson, Matthew wrote:
> You DO have to build a new server.pem and put it in place for Jabber.
> 
> --Matthew Wilkinson
> 
> 
> -----Original Message-----
> From: Wilkinson, Matthew
> Sent: Wednesday, June 07, 2017 12:45
> To: spacewalk-list at redhat.com
> Subject: RE: [Spacewalk-list] More Spacewalk 26 Certificate
> Problems....can't get 3rd party cert to work with osa-dispatcher and jabber
> 
> I did this recently on my SW 2.6 server. You should follow Red Hat's
> documentation on using signed SSL certs. Don't use Oracle's documentation.
> 
> I used these two website and figured out how to get it working. Once you get
> the server SSL working you have to redistribute the spacewalk cert to all
> of the clients.
> 
> https://access.redhat.com/solutions/10809
> 
> https://access.redhat.com/solutions/15753
> 
> 
> 
> --Matthew Wilkinson
> 
> -----Original Message-----
> From: spacewalk-list-bounces at redhat.com
> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Eric Sent:
> Wednesday, June 07, 2017 11:59
> To: spacewalk-list at redhat.com
> Subject: [Spacewalk-list] More Spacewalk 26 Certificate Problems....can't
> get 3rd party cert to work with osa-dispatcher and jabber
> 
> [This is an external email. Be cautious with links, attachments and
> responses.]
> 
> **********************************************************************
> I've really beat myself into the ground with this for 3 days now and am
> stumped.
> 
> Situation:  I've been running two Spacewalk servers for a while now, brought
> them from 2.4 to 2.6.
> 
> I've just built a new one to move everything to, running 2.6.  Vanilla
> build, tested and working, bootstrapped clients, pushed configurations,
> osad and osa- dispatcher running fine.  This is a clean 2.6 install, not an
> upgrade.
> 
>  Company policy recently changed and no more self-signed certs allowed.
> 
> Got my new certs.  There are multiple conflicting documents on doing this.
> Like serious discrepancies.  Some have you replace/change the jabber
> server.pem files, and some don't address it at all.
> 
> I primarily used these two docs to perform the install (I could not find a
> 2.6 specific doc):
> 
> Oracle doc for 2.2
> https://docs.oracle.com/cd/E37670_01/E64575/html/swk22-replace-cert.html
> 
> Redhat Doc (Dated April 2017, for Satellite 5.4 and later -> should cover
> 2.6
> 
> https://access.redhat.com/solutions/15753
> 
> 
> The Oracle doc and most of the other docs do not address the server.pem file
> for Jabber at all, just has you clear the jabber db and restart.
> 
> The Redhat doc says this:
> 
> # cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem  # cat
> /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem # cp
> /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem
> 
> 
> 
> So now that we have the background....I'm getting a TLS error on start up:
> 
> Starting osa-dispatcher: Spacewalk 14899 2017/06/07 09:37:27 -07:00:
> ('Server does not support TLS - <starttls /> not in <features /> stanza',)
> 
> Searching this list, and googling leads me to this Red Hat document:
> 
> https://access.redhat.com/solutions/24937
> 
> 
> Now, that document clearly says that the MD5sums for all of the jabber
> server.pem files should match........but if you follow the directions in
> the Redhat guide for setting it up...they cannot match.  I've tried it both
> ways.....same error.
> 
> I've gone through all the other troubleshooting, the CN matches FQDN and all
> that.
> 
> 
> Everything but osa-dispatcher seems to work, the Web UI, I can boostrap
> clients, I can run a remote command.....but because osad on the clients
> can't connect, I have to run "rhn_check" to get it to pick up the jobs.
> 
> I really hope somebody has some suggestions here.
> 
> Also, when I pick up my certificate, I have the following download
> options.....the cert, the cert WITH private key, the cert WITH CA Chain, or
> the cert WITH private key and CA Chain.
> 
> Now, I took the last, and split them all up into seperate files...the crt,
> key, and root chain so my install could match the directions...  Excepting
> dealing with Jabber, most of the docs are pretty similar.  Nothing in any
> docs anywhere addresses what I do with the private key.
> 
> I have cleaned up the server, and reinstalled 2.6 to a pristine state 4 or 5
> times now and tried various different variations, all with the same result.
> 
> I know I'm doing something wrong and I'm sure it's regarding the jabber pem
> files, but I can NOT figure it out.
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list