[Spacewalk-list] "Peer's certificate issuer has been marked as not trusted by the user."

Robert Paschedag robert.paschedag at web.de
Thu Nov 2 07:28:05 UTC 2017 

Am 2. November 2017 08:24:10 MEZ schrieb "Vipul Sharma (DevOps)" <sharma.vipul at in.g4s.com>:
>I have tested 2 different URL'S -
>
>*This one was was from your article -*
>
>curl -v https://cdn.redhat.com/content/dist/rhel/server/7/
>7Server/x86_64/os/repodata/repomd.xml
>* About to connect() to cdn.redhat.com port 443 (#0)
>*   Trying 2.16.30.83...
>* Connected to cdn.redhat.com (2.16.30.83) port 443 (#0)
>* Initializing NSS with certpath: sql:/etc/pki/nssdb
>*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>  CApath: none
>* Server certificate:
>*       subject: CN=cdn.redhat.com,OU=Red Hat Network,O=Red
>Hat,L=Raleigh,ST=North Carolina,C=US
>*       start date: May 14 19:48:02 2014 GMT
>*       expire date: May 11 19:48:02 2024 GMT
>*       common name: cdn.redhat.com
>*       issuer: E=ca-support at redhat.com,CN=Red Hat Entitlement
>Operations
>Authority,OU=Red Hat Network,O="Red Hat, Inc.",ST=North Carolina,C=US
>* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
>* Peer's certificate issuer has been marked as not trusted by the user.
>* Closing connection 0
>curl: (60) Peer's certificate issuer has been marked as not trusted by
>the
>user.
>
>-----------------------------------------------------------
>
>*This is from Google-Cloud - Pretty much the same result -*
>
>curl -v https://cds.rhel.updates.googlecloud.com/pulp/mirror/
>content/dist/rhel/rhui/server/7/7Server/x86_64/os/repodata/repomd.xml
>* About to connect() to cds.rhel.updates.googlecloud.com port 443 (#0)
>*   Trying 23.236.57.179...
>* Connected to cds.rhel.updates.googlecloud.com (23.236.57.179) port
>443
>(#0)
>* Initializing NSS with certpath: sql:/etc/pki/nssdb
>*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>  CApath: none
>* Server certificate:
>*       subject:
>CN=cds.rhel.updates.googlecloud.com,OU=SomeOrgUnit,O=SomeOrg,ST=North
>Carolina,C=US
>*       start date: Sep 23 05:18:30 2017 GMT
>*       expire date: Sep 25 05:18:30 2037 GMT
>*       common name: cds.rhel.updates.googlecloud.com
>*       issuer: CN=RHUI Certificate
>Authority,OU=SomeOrgUnit,O=SomeOrg,L=Raleigh,ST=North
>Carolina,C=US
>* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
>* Peer's certificate issuer has been marked as not trusted by the user.
>* Closing connection 0
>curl: (60) Peer's certificate issuer has been marked as not trusted by
>the
>user.
>
>Thanks
>
>On Thu, Nov 2, 2017 at 12:36 PM, Robert Paschedag
><robert.paschedag at web.de>
>wrote:
>
>> Am 2. November 2017 07:29:16 MEZ schrieb "Vipul Sharma (DevOps)" <
>> sharma.vipul at in.g4s.com>:
>> >In spacewalk, I had to manually create this file -->*
>> >file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release*, & then
>copy/pasted
>> >the
>> >KEY from RHEL server to this location in Spacewalk server.
>> >
>> >Some Doubts :-
>> >
>> >Do this requires importing this file ??
>> >
>> >I'm running spacewalk without CA certified certificate, Does that
>> >impact
>> >the overall config for RHEL Repo in Spacewalk.
>> >
>> >Thanks
>> >Vipul
>> >
>> >On Thu, Nov 2, 2017 at 11:49 AM, Robert Paschedag
>> ><robert.paschedag at web.de>
>> >wrote:
>> >
>> >> Am 2. November 2017 05:13:12 MEZ schrieb "Vipul Sharma (DevOps)" <
>> >> sharma.vipul at in.g4s.com>:
>> >> >Hi Michael,
>> >> >
>> >> >We are using registered system through 'Google-Cloud' - I have
>> >copied
>> >> >everything very carefully from RHEL.repo into spacewalk,
>Including
>> >all
>> >> >the
>> >> >.cert & .pem files.
>> >> >
>> >> >Just unable to figure out what's wrong with it for the time being
>-
>> >> >
>> >> >Thanks
>> >> >
>> >> >On Wed, Nov 1, 2017 at 5:36 PM, Michael Mraka
>> >> ><michael.mraka at redhat.com>
>> >> >wrote:
>> >> >
>> >> >> Vipul Sharma (DevOps):
>> >> >> > Hi Robert,
>> >> >> >
>> >> >> > I need your 'HELP' - I went according to your configuration
>for
>> >> >> downloading
>> >> >> > RHEL repos into 'Spacewalk'  - But, I'm facing some issues
>while
>> >> >doing
>> >> >> > that, Can you be humble enough to take a look into my issue
>--
>> >> >> >
>> >> >> > *This is the error -*
>> >> >> >
>> >> >> > 10:01:26 | Channel: rhel-base
>> >> >> > 10:01:26 ======================================
>> >> >> > 10:01:26 Sync of channel started.
>> >> >> > 10:01:26 Repo URL:
>> >> >> >
>> >https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>> >> >> > 10:01:27 ERROR: failure: repodata/repomd.xml from
>> >> >> > content_dist_rhel_server_7_7Server_x86_64_os: [Errno 256] No
>> >more
>> >> >> mirrors
>> >> >> > to try.
>> >> >> > *https://cdn.redhat.com/content/dist/rhel/server/7/
>> >> >> 7Server/x86_64/os/repodata/repomd.xml
>> >> >> > <https://cdn.redhat.com/content/dist/rhel/server/7/
>> >> >> 7Server/x86_64/os/repodata/repomd.xml>:
>> >> >> > [Errno 14] curl#60 - "Peer's certificate issuer has been
>marked
>> >as
>> >> >not
>> >> >> > trusted by the user."*
>> >> >> > 10:01:27 Sync of channel completed in 0:00:00.
>> >> >> > 10:01:27 Total time: 0:00:00
>> >> >> >
>> >> >> > ---------------------------------------------
>> >> >> >
>> >> >> > My Spacewalk server is running unauthorized CA-CERT, Is this
>> >> >because of
>> >> >> > that ?
>> >> >>
>> >> >> You need a proper Red Hat Subscription to be able to download
>Red
>> >Hat
>> >> >> content from CDN.
>> >> >>
>> >> >> Regards,
>> >> >>
>> >> >> --
>> >> >> Michael Mráka
>> >> >> System Management Engineering, Red Hat
>> >> >>
>> >> >> _______________________________________________
>> >> >> Spacewalk-list mailing list
>> >> >> Spacewalk-list at redhat.com
>> >> >> https://www.redhat.com/mailman/listinfo/spacewalk-list
>> >>
>> >> For me, this sounds as one of the "signing" CA of RedHat's servers
>is
>> >not
>> >> trusted by "you".
>> >>
>> >> Robert
>> >>
>>
>> Please try to curl the URL.
>>
>> curl -vv -1 https://....
>>
>> See the same error?
>>
>> Robert
>>

You have to get the "issuer" certs from RedHat (download from web?) and add it to your trusted CA store
Robert

More information about the Spacewalk-list mailing list