[Spacewalk-list] More Spacewalk 26 Certificate Problems....can't get 3rd party cert to work with osa-dispatcher and jabber

Eric ericb at enrsystems.com
Wed Jun 7 18:47:27 UTC 2017 

Hmmm.  By chance do you actively use osad on the clients?  I know a lot of 
Spacewalk/Satellite server users do not use this.........

If you don't actually use it, what happens if you restart the osa-dispatcher 
service on Spacewalk?



I can't imagine it's another issue........as it works absolutely just fine 
until I install the 3rd party Certs.

On Wednesday 07 June 2017 18:30:01 Wilkinson, Matthew wrote:
> If all of that stuff works, the website cert, the clients, etc. then I think
> you did everything right. Your osa-dispatcher issue might be a different
> issue?
> 
> My /etc/jabberd/server.pem md5sum matches my
> /etc/pki/spacewalk/jabberd/server.pem but not my
> /root/ssl-build/eva/server.pem
> 
> --Matthew Wilkinson
> 
> 
> -----Original Message-----
> From: spacewalk-list-bounces at redhat.com
> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Eric Sent:
> Wednesday, June 07, 2017 13:21
> To: spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] More Spacewalk 26 Certificate
> Problems....can't get 3rd party cert to work with osa-dispatcher and jabber
> 
> [This is an external email. Be cautious with links, attachments and
> responses.]
> 
> **********************************************************************
> Thanks for the reply.
> 
> So, my question then is.........in the Redhat doc is has you do the jabber
> server.pem, but those directions specifically have you cat the key pair
> into one file.........by doing that the server.pem file will never match
> (md5sum) the server.pem file in the ssl-build directory....which the
> trouble shooting guids says it must.
> 
> My other question is........just how does Spacewalk expect the certs?  If I
> download the default, I get the cert, the private key, and the root chain
> in one single .pem file.  The docs all assume that you have just a cert
> file and a concatenated CA chain file.  I have pulled the actual
> certificate portion out of the single file (without the private key and
> without the root chain and saved it as server.crt in the ssl-build
> directory.
> 
> I have pulled all the CA certs out and saved them as the
> RHN-ORG-TRUSTED-SSL- CERT file.
> 
> I have not done anything with the private key file portion, as there is
> nothing in the docs regarding that.
> 
> Am I doing something wrong with this?  All the checks and validations show
> ok, and the web UI works just fine, with the web page showing the expected
> cert when I look at the security options.
> 
> The ssl builds all work, the rpm's are created, everything deployes ok, I've
> copied it to clients......every single thing works........except osa-
> dispatcher.
> 
> I just cannot wrap my mind about this:
> 
> Redhat install directions:
> 
> # cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem  # cat
> /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem  # cp
> /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem
> 
> Redhat knowledge base article troubleshooting my EXACT error message
> (https://access.redhat.com/solutions/24937):
> 
> # md5sum /root/ssl-build/<hostname>/server.pem
> # md5sum /etc/pki/spacewalk/jabberd/server.pem /etc/jabberd/server.pem
> 
> If you follow the install directions, those server.pem files will never have
> a matching md5sum.
> On Wednesday 07 June 2017 17:46:06 Wilkinson, Matthew wrote:
> > You DO have to build a new server.pem and put it in place for Jabber.
> > 
> > --Matthew Wilkinson
> > 
> > 
> > -----Original Message-----
> > From: Wilkinson, Matthew
> > Sent: Wednesday, June 07, 2017 12:45
> > To: spacewalk-list at redhat.com
> > Subject: RE: [Spacewalk-list] More Spacewalk 26 Certificate
> > Problems....can't get 3rd party cert to work with osa-dispatcher and
> > jabber
> > 
> > I did this recently on my SW 2.6 server. You should follow Red Hat's
> > documentation on using signed SSL certs. Don't use Oracle's documentation.
> > 
> > I used these two website and figured out how to get it working. Once you
> > get the server SSL working you have to redistribute the spacewalk cert to
> > all of the clients.
> > 
> > https://access.redhat.com/solutions/10809
> > 
> > https://access.redhat.com/solutions/15753
> > 
> > 
> > 
> > --Matthew Wilkinson
> > 
> > -----Original Message-----
> > From: spacewalk-list-bounces at redhat.com
> > [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Eric Sent:
> > Wednesday, June 07, 2017 11:59
> > To: spacewalk-list at redhat.com
> > Subject: [Spacewalk-list] More Spacewalk 26 Certificate Problems....can't
> > get 3rd party cert to work with osa-dispatcher and jabber
> > 
> > [This is an external email. Be cautious with links, attachments and
> > responses.]
> > 
> > **********************************************************************
> > I've really beat myself into the ground with this for 3 days now and am
> > stumped.
> > 
> > Situation:  I've been running two Spacewalk servers for a while now,
> > brought them from 2.4 to 2.6.
> > 
> > I've just built a new one to move everything to, running 2.6.  Vanilla
> > build, tested and working, bootstrapped clients, pushed configurations,
> > osad and osa- dispatcher running fine.  This is a clean 2.6 install, not
> > an
> > upgrade.
> > 
> >  Company policy recently changed and no more self-signed certs allowed.
> > 
> > Got my new certs.  There are multiple conflicting documents on doing this.
> > Like serious discrepancies.  Some have you replace/change the jabber
> > server.pem files, and some don't address it at all.
> > 
> > I primarily used these two docs to perform the install (I could not find a
> > 2.6 specific doc):
> > 
> > Oracle doc for 2.2
> > https://docs.oracle.com/cd/E37670_01/E64575/html/swk22-replace-cert.html
> > 
> > Redhat Doc (Dated April 2017, for Satellite 5.4 and later -> should cover
> > 2.6
> > 
> > https://access.redhat.com/solutions/15753
> > 
> > 
> > The Oracle doc and most of the other docs do not address the server.pem
> > file for Jabber at all, just has you clear the jabber db and restart.
> > 
> > The Redhat doc says this:
> > 
> > # cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem  # cat
> > /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem # cp
> > /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem
> > 
> > 
> > 
> > So now that we have the background....I'm getting a TLS error on start up:
> > 
> > Starting osa-dispatcher: Spacewalk 14899 2017/06/07 09:37:27 -07:00:
> > ('Server does not support TLS - <starttls /> not in <features /> stanza',)
> > 
> > Searching this list, and googling leads me to this Red Hat document:
> > 
> > https://access.redhat.com/solutions/24937
> > 
> > 
> > Now, that document clearly says that the MD5sums for all of the jabber
> > server.pem files should match........but if you follow the directions in
> > the Redhat guide for setting it up...they cannot match.  I've tried it
> > both
> > ways.....same error.
> > 
> > I've gone through all the other troubleshooting, the CN matches FQDN and
> > all that.
> > 
> > 
> > Everything but osa-dispatcher seems to work, the Web UI, I can boostrap
> > clients, I can run a remote command.....but because osad on the clients
> > can't connect, I have to run "rhn_check" to get it to pick up the jobs.
> > 
> > I really hope somebody has some suggestions here.
> > 
> > Also, when I pick up my certificate, I have the following download
> > options.....the cert, the cert WITH private key, the cert WITH CA Chain,
> > or
> > the cert WITH private key and CA Chain.
> > 
> > Now, I took the last, and split them all up into seperate files...the crt,
> > key, and root chain so my install could match the directions...  Excepting
> > dealing with Jabber, most of the docs are pretty similar.  Nothing in any
> > docs anywhere addresses what I do with the private key.
> > 
> > I have cleaned up the server, and reinstalled 2.6 to a pristine state 4 or
> > 5 times now and tried various different variations, all with the same
> > result.
> > 
> > I know I'm doing something wrong and I'm sure it's regarding the jabber
> > pem
> > files, but I can NOT figure it out.
> > 
> > _______________________________________________
> > Spacewalk-list mailing list
> > Spacewalk-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/spacewalk-list
> > 
> > _______________________________________________
> > Spacewalk-list mailing list
> > Spacewalk-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/spacewalk-list
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list