[Spacewalk-list] "Peer's certificate issuer has been marked as not trusted by the user."

Robert Paschedag robert.paschedag at web.de
Thu Nov 2 08:40:02 UTC 2017 

Am 2. November 2017 08:47:00 MEZ schrieb "Vipul Sharma (DevOps)" <sharma.vipul at in.g4s.com>:
>Hi,
>
>I imported the new keyfile downloaded from Red-Hat -
>
>
>
>*gpg: key FD431D51: public key "Red Hat, Inc. (release key 2)
><security at redhat.com <security at redhat.com>>" importedgpg: Total number
>processed: 1gpg:               imported: 1  (RSA: 1)*
>
>
>But, If we run gpg --list-keys - It shows me 2 different versions of
>that,
>What's that about, Any ideas?
>
>
>
>
>
>*pub   1024D/F24F1B08 2002-04-23 [expired: 2004-04-22]uid
>Red Hat, Inc (Red Hat Network) <rhn-feedback at redhat.com
><rhn-feedback at redhat.com>>pub   4096R/FD431D51
>2009-10-22uid                  Red Hat, Inc. (release key 2)
><security at redhat.com <security at redhat.com>>*
>
>
>
>Also, I checked ca-bundle.crt, I found no chain for Red-Hat over there
>-
>
>Thanks
>Vipul
>
>On Thu, Nov 2, 2017 at 12:58 PM, Robert Paschedag
><robert.paschedag at web.de>
>wrote:
>
>> Am 2. November 2017 08:24:10 MEZ schrieb "Vipul Sharma (DevOps)" <
>> sharma.vipul at in.g4s.com>:
>> >I have tested 2 different URL'S -
>> >
>> >*This one was was from your article -*
>> >
>> >curl -v https://cdn.redhat.com/content/dist/rhel/server/7/
>> >7Server/x86_64/os/repodata/repomd.xml
>> >* About to connect() to cdn.redhat.com port 443 (#0)
>> >*   Trying 2.16.30.83...
>> >* Connected to cdn.redhat.com (2.16.30.83) port 443 (#0)
>> >* Initializing NSS with certpath: sql:/etc/pki/nssdb
>> >*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>> >  CApath: none
>> >* Server certificate:
>> >*       subject: CN=cdn.redhat.com,OU=Red Hat Network,O=Red
>> >Hat,L=Raleigh,ST=North Carolina,C=US
>> >*       start date: May 14 19:48:02 2014 GMT
>> >*       expire date: May 11 19:48:02 2024 GMT
>> >*       common name: cdn.redhat.com
>> >*       issuer: E=ca-support at redhat.com,CN=Red Hat Entitlement
>> >Operations
>> >Authority,OU=Red Hat Network,O="Red Hat, Inc.",ST=North
>Carolina,C=US
>> >* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
>> >* Peer's certificate issuer has been marked as not trusted by the
>user.
>> >* Closing connection 0
>> >curl: (60) Peer's certificate issuer has been marked as not trusted
>by
>> >the
>> >user.
>> >
>> >-----------------------------------------------------------
>> >
>> >*This is from Google-Cloud - Pretty much the same result -*
>> >
>> >curl -v https://cds.rhel.updates.googlecloud.com/pulp/mirror/
>>
>>content/dist/rhel/rhui/server/7/7Server/x86_64/os/repodata/repomd.xml
>> >* About to connect() to cds.rhel.updates.googlecloud.com port 443
>(#0)
>> >*   Trying 23.236.57.179...
>> >* Connected to cds.rhel.updates.googlecloud.com (23.236.57.179) port
>> >443
>> >(#0)
>> >* Initializing NSS with certpath: sql:/etc/pki/nssdb
>> >*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>> >  CApath: none
>> >* Server certificate:
>> >*       subject:
>>
>>CN=cds.rhel.updates.googlecloud.com,OU=SomeOrgUnit,O=SomeOrg,ST=North
>> >Carolina,C=US
>> >*       start date: Sep 23 05:18:30 2017 GMT
>> >*       expire date: Sep 25 05:18:30 2037 GMT
>> >*       common name: cds.rhel.updates.googlecloud.com
>> >*       issuer: CN=RHUI Certificate
>> >Authority,OU=SomeOrgUnit,O=SomeOrg,L=Raleigh,ST=North
>> >Carolina,C=US
>> >* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
>> >* Peer's certificate issuer has been marked as not trusted by the
>user.
>> >* Closing connection 0
>> >curl: (60) Peer's certificate issuer has been marked as not trusted
>by
>> >the
>> >user.
>> >
>> >Thanks
>> >
>> >On Thu, Nov 2, 2017 at 12:36 PM, Robert Paschedag
>> ><robert.paschedag at web.de>
>> >wrote:
>> >
>> >> Am 2. November 2017 07:29:16 MEZ schrieb "Vipul Sharma (DevOps)" <
>> >> sharma.vipul at in.g4s.com>:
>> >> >In spacewalk, I had to manually create this file -->*
>> >> >file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release*, & then
>> >copy/pasted
>> >> >the
>> >> >KEY from RHEL server to this location in Spacewalk server.
>> >> >
>> >> >Some Doubts :-
>> >> >
>> >> >Do this requires importing this file ??
>> >> >
>> >> >I'm running spacewalk without CA certified certificate, Does that
>> >> >impact
>> >> >the overall config for RHEL Repo in Spacewalk.
>> >> >
>> >> >Thanks
>> >> >Vipul
>> >> >
>> >> >On Thu, Nov 2, 2017 at 11:49 AM, Robert Paschedag
>> >> ><robert.paschedag at web.de>
>> >> >wrote:
>> >> >
>> >> >> Am 2. November 2017 05:13:12 MEZ schrieb "Vipul Sharma
>(DevOps)" <
>> >> >> sharma.vipul at in.g4s.com>:
>> >> >> >Hi Michael,
>> >> >> >
>> >> >> >We are using registered system through 'Google-Cloud' - I have
>> >> >copied
>> >> >> >everything very carefully from RHEL.repo into spacewalk,
>> >Including
>> >> >all
>> >> >> >the
>> >> >> >.cert & .pem files.
>> >> >> >
>> >> >> >Just unable to figure out what's wrong with it for the time
>being
>> >-
>> >> >> >
>> >> >> >Thanks
>> >> >> >
>> >> >> >On Wed, Nov 1, 2017 at 5:36 PM, Michael Mraka
>> >> >> ><michael.mraka at redhat.com>
>> >> >> >wrote:
>> >> >> >
>> >> >> >> Vipul Sharma (DevOps):
>> >> >> >> > Hi Robert,
>> >> >> >> >
>> >> >> >> > I need your 'HELP' - I went according to your
>configuration
>> >for
>> >> >> >> downloading
>> >> >> >> > RHEL repos into 'Spacewalk'  - But, I'm facing some issues
>> >while
>> >> >> >doing
>> >> >> >> > that, Can you be humble enough to take a look into my
>issue
>> >--
>> >> >> >> >
>> >> >> >> > *This is the error -*
>> >> >> >> >
>> >> >> >> > 10:01:26 | Channel: rhel-base
>> >> >> >> > 10:01:26 ======================================
>> >> >> >> > 10:01:26 Sync of channel started.
>> >> >> >> > 10:01:26 Repo URL:
>> >> >> >> >
>> >>
>>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>> >> >> >> > 10:01:27 ERROR: failure: repodata/repomd.xml from
>> >> >> >> > content_dist_rhel_server_7_7Server_x86_64_os: [Errno 256]
>No
>> >> >more
>> >> >> >> mirrors
>> >> >> >> > to try.
>> >> >> >> > *https://cdn.redhat.com/content/dist/rhel/server/7/
>> >> >> >> 7Server/x86_64/os/repodata/repomd.xml
>> >> >> >> > <https://cdn.redhat.com/content/dist/rhel/server/7/
>> >> >> >> 7Server/x86_64/os/repodata/repomd.xml>:
>> >> >> >> > [Errno 14] curl#60 - "Peer's certificate issuer has been
>> >marked
>> >> >as
>> >> >> >not
>> >> >> >> > trusted by the user."*
>> >> >> >> > 10:01:27 Sync of channel completed in 0:00:00.
>> >> >> >> > 10:01:27 Total time: 0:00:00
>> >> >> >> >
>> >> >> >> > ---------------------------------------------
>> >> >> >> >
>> >> >> >> > My Spacewalk server is running unauthorized CA-CERT, Is
>this
>> >> >> >because of
>> >> >> >> > that ?
>> >> >> >>
>> >> >> >> You need a proper Red Hat Subscription to be able to
>download
>> >Red
>> >> >Hat
>> >> >> >> content from CDN.
>> >> >> >>
>> >> >> >> Regards,
>> >> >> >>
>> >> >> >> --
>> >> >> >> Michael Mráka
>> >> >> >> System Management Engineering, Red Hat
>> >> >> >>
>> >> >> >> _______________________________________________
>> >> >> >> Spacewalk-list mailing list
>> >> >> >> Spacewalk-list at redhat.com
>> >> >> >> https://www.redhat.com/mailman/listinfo/spacewalk-list
>> >> >>
>> >> >> For me, this sounds as one of the "signing" CA of RedHat's
>servers
>> >is
>> >> >not
>> >> >> trusted by "you".
>> >> >>
>> >> >> Robert
>> >> >>
>> >>
>> >> Please try to curl the URL.
>> >>
>> >> curl -vv -1 https://....
>> >>
>> >> See the same error?
>> >>
>> >> Robert
>> >>
>>
>> You have to get the "issuer" certs from RedHat (download from web?)
>and
>> add it to your trusted CA store
>> Robert
>>

Not the gpg key is the problem right now.... The SSL chain cannot be built and verified.

You have to get that fixed first.

Robert

More information about the Spacewalk-list mailing list