[Spacewalk-list] More Spacewalk 26 Certificate Problems....can't get 3rd party cert to work with osa-dispatcher and jabber

Eric ericb at enrsystems.com
Wed Jun 7 22:43:15 UTC 2017 

So I started from a clean slate, rebuilt everything.....SAME problem.  I 
started by testing my fresh 2.6 installation.  I bootstrapped a client, pushed 
remote commands, verified osa/jabberd was running without any problems.

Followed the Oracle 2.6 install directions exactly.  zero deviation.

osa-dispatcher will not start:

Starting osa-dispatcher: Spacewalk 13057 2017/06/07 14:09:02 -07:00: ('Server 
does not support TLS - <starttls /> not in <features /> stanza',)
Spacewalk 13057 2017/06/07 14:09:02 -07:00: ('Traceback (most recent call 
last):\n  File "/usr/share/rhn/osad/jabber_lib.py", line 266, in 
setup_connection\n    c = self._get_jabber_client(js)\n  File 
"/usr/share/rhn/osad/jabber_lib.py", line 338, in _get_jabber_client\n    
c.connect()\n  File "/usr/share/rhn/osad/jabber_lib.py", line 643, in 
connect\n    raise SSLDisabledError\nSSLDisabledError\n',)
 

I went through every troubleshooting doc I could find on this, the FQDN matches 
whats in the cert, all of the checks pass, I cannot see any reason for this 
not working.  I am NOT running SELINUX.....it's not a firewall issue as system 
works fine with self signed certs.

I just can't figure out where I'm going wrong unless it is a problem with the 
way certs are deliver (Venafi) to me.......but they work on the WebUI with no 
issues....so it's just the osa/jabber config.

I will take any suggestions on where to look for troubleshooting.  

On Thursday 08 June 2017 07:42:56 Avi Miller wrote:
> Hi,
> 
> > On 8 Jun 2017, at 7:35 am, Eric <ericb at enrsystems.com> wrote:
> > 
> > Avi,
> > 
> > Still not working.  I followed the Oracle document for 2.6
> > (https://docs.oracle.com/cd/E52668_01/E85212/html/sw22-replace-cert.html)
> > exactly...........and still get the same exact error.
> 
> We’ve tested this process several times (and do it for every release) so I’m
> concerned this is not working for you.
> > In your blog, you have this:
> > 
> > # cd /root/ssl-build/<hostname>/
> > # mv server.crt server.crt.self-signed
> > # mv server.key server.key.self-signed
> > # ln -s /etc/letsencrypt/live/<fqdn>/fullchain.pem server.crt
> > # ln -s /etc/letsencrypt/live/<fqdn>/privkey.pem server.key
> > 
> > Neither the Oracle doc nor the Redhat doc makes ANY mention of the
> > server.key file.
> 
> Correct, because neither we nor them consider the Let’s Encrypt use case,
> which does auto-updating. My blog outlines how to connect Spacewalk to the
> Let’s Encrypt certificates. This is not something that’s necessary with
> 3rd-party (CA signed) certificates. In this case, there is additional work
> to be done so that the regularly-updated Let’s Encrypt certificates are
> used and Spacewalk always points to the latest certificate, as updated by
> certbot.
> > I'm really at a loss with this.  In literally days of searching for
> > information on this.....I cannot find a single instance of somebody
> > actually successfully getting osa-dispatcher and jabber running after
> > moving to a CA signed certificate, just tons of posts with the same
> > errors I'm getting asking for help...but I cannot find any
> > resolution....it seems that everybody has given up and just stayed with
> > self signed certs.
> 
> All of my setups use CA signed certificates. All our internal instances do
> too. My personal setup uses the Let’s Encrypt configuration documented in
> my blog, while my corporate instance uses a certificate provided by our
> Managed PKI system. Both instances are running jabberd/osa without any
> issues at all. In fact, both setups have also switched the jabberd database
> to PostgresSQL (personal setup) and SQLite (corporate).
> 
> I have lots of customers using either internally PKI-signed or externally CA
> signed certificates with their Spacewalk instances and all followed our
> documentation. All are working fine too.
> 
> Cheers,
> Avi
> 
> --
> Oracle <http://www.oracle.com>
> Avi Miller | Product Management Director | +61 (3) 8616 3496
> Oracle Linux and Virtualization
> 417 St Kilda Road, Melbourne, Victoria 3004 Australia
> 
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list