[Spacewalk-list] "Peer's certificate issuer has been marked as not trusted by the user."

Robert Paschedag robert.paschedag at web.de
Thu Nov 2 12:02:17 UTC 2017 

Am 2. November 2017 09:40:02 MEZ schrieb Robert Paschedag <robert.paschedag at web.de>:
>Am 2. November 2017 08:47:00 MEZ schrieb "Vipul Sharma (DevOps)"
><sharma.vipul at in.g4s.com>:
>>Hi,
>>
>>I imported the new keyfile downloaded from Red-Hat -
>>
>>
>>
>>*gpg: key FD431D51: public key "Red Hat, Inc. (release key 2)
>><security at redhat.com <security at redhat.com>>" importedgpg: Total number
>>processed: 1gpg:               imported: 1  (RSA: 1)*
>>
>>
>>But, If we run gpg --list-keys - It shows me 2 different versions of
>>that,
>>What's that about, Any ideas?
>>
>>
>>
>>
>>
>>*pub   1024D/F24F1B08 2002-04-23 [expired: 2004-04-22]uid
>>Red Hat, Inc (Red Hat Network) <rhn-feedback at redhat.com
>><rhn-feedback at redhat.com>>pub   4096R/FD431D51
>>2009-10-22uid                  Red Hat, Inc. (release key 2)
>><security at redhat.com <security at redhat.com>>*
>>
>>
>>
>>Also, I checked ca-bundle.crt, I found no chain for Red-Hat over there
>>-
>>
>>Thanks
>>Vipul
>>
>>On Thu, Nov 2, 2017 at 12:58 PM, Robert Paschedag
>><robert.paschedag at web.de>
>>wrote:
>>
>>> Am 2. November 2017 08:24:10 MEZ schrieb "Vipul Sharma (DevOps)" <
>>> sharma.vipul at in.g4s.com>:
>>> >I have tested 2 different URL'S -
>>> >
>>> >*This one was was from your article -*
>>> >
>>> >curl -v https://cdn.redhat.com/content/dist/rhel/server/7/
>>> >7Server/x86_64/os/repodata/repomd.xml
>>> >* About to connect() to cdn.redhat.com port 443 (#0)
>>> >*   Trying 2.16.30.83...
>>> >* Connected to cdn.redhat.com (2.16.30.83) port 443 (#0)
>>> >* Initializing NSS with certpath: sql:/etc/pki/nssdb
>>> >*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>>> >  CApath: none
>>> >* Server certificate:
>>> >*       subject: CN=cdn.redhat.com,OU=Red Hat Network,O=Red
>>> >Hat,L=Raleigh,ST=North Carolina,C=US
>>> >*       start date: May 14 19:48:02 2014 GMT
>>> >*       expire date: May 11 19:48:02 2024 GMT
>>> >*       common name: cdn.redhat.com
>>> >*       issuer: E=ca-support at redhat.com,CN=Red Hat Entitlement
>>> >Operations
>>> >Authority,OU=Red Hat Network,O="Red Hat, Inc.",ST=North
>>Carolina,C=US
>>> >* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
>>> >* Peer's certificate issuer has been marked as not trusted by the
>>user.
>>> >* Closing connection 0
>>> >curl: (60) Peer's certificate issuer has been marked as not trusted
>>by
>>> >the
>>> >user.
>>> >
>>> >-----------------------------------------------------------
>>> >
>>> >*This is from Google-Cloud - Pretty much the same result -*
>>> >
>>> >curl -v https://cds.rhel.updates.googlecloud.com/pulp/mirror/
>>>
>>>content/dist/rhel/rhui/server/7/7Server/x86_64/os/repodata/repomd.xml
>>> >* About to connect() to cds.rhel.updates.googlecloud.com port 443
>>(#0)
>>> >*   Trying 23.236.57.179...
>>> >* Connected to cds.rhel.updates.googlecloud.com (23.236.57.179)
>port
>>> >443
>>> >(#0)
>>> >* Initializing NSS with certpath: sql:/etc/pki/nssdb
>>> >*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>>> >  CApath: none
>>> >* Server certificate:
>>> >*       subject:
>>>
>>>CN=cds.rhel.updates.googlecloud.com,OU=SomeOrgUnit,O=SomeOrg,ST=North
>>> >Carolina,C=US
>>> >*       start date: Sep 23 05:18:30 2017 GMT
>>> >*       expire date: Sep 25 05:18:30 2037 GMT
>>> >*       common name: cds.rhel.updates.googlecloud.com
>>> >*       issuer: CN=RHUI Certificate
>>> >Authority,OU=SomeOrgUnit,O=SomeOrg,L=Raleigh,ST=North
>>> >Carolina,C=US
>>> >* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
>>> >* Peer's certificate issuer has been marked as not trusted by the
>>user.
>>> >* Closing connection 0
>>> >curl: (60) Peer's certificate issuer has been marked as not trusted
>>by
>>> >the
>>> >user.
>>> >
>>> >Thanks
>>> >
>>> >On Thu, Nov 2, 2017 at 12:36 PM, Robert Paschedag
>>> ><robert.paschedag at web.de>
>>> >wrote:
>>> >
>>> >> Am 2. November 2017 07:29:16 MEZ schrieb "Vipul Sharma (DevOps)"
><
>>> >> sharma.vipul at in.g4s.com>:
>>> >> >In spacewalk, I had to manually create this file -->*
>>> >> >file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release*, & then
>>> >copy/pasted
>>> >> >the
>>> >> >KEY from RHEL server to this location in Spacewalk server.
>>> >> >
>>> >> >Some Doubts :-
>>> >> >
>>> >> >Do this requires importing this file ??
>>> >> >
>>> >> >I'm running spacewalk without CA certified certificate, Does
>that
>>> >> >impact
>>> >> >the overall config for RHEL Repo in Spacewalk.
>>> >> >
>>> >> >Thanks
>>> >> >Vipul
>>> >> >
>>> >> >On Thu, Nov 2, 2017 at 11:49 AM, Robert Paschedag
>>> >> ><robert.paschedag at web.de>
>>> >> >wrote:
>>> >> >
>>> >> >> Am 2. November 2017 05:13:12 MEZ schrieb "Vipul Sharma
>>(DevOps)" <
>>> >> >> sharma.vipul at in.g4s.com>:
>>> >> >> >Hi Michael,
>>> >> >> >
>>> >> >> >We are using registered system through 'Google-Cloud' - I
>have
>>> >> >copied
>>> >> >> >everything very carefully from RHEL.repo into spacewalk,
>>> >Including
>>> >> >all
>>> >> >> >the
>>> >> >> >.cert & .pem files.
>>> >> >> >
>>> >> >> >Just unable to figure out what's wrong with it for the time
>>being
>>> >-
>>> >> >> >
>>> >> >> >Thanks
>>> >> >> >
>>> >> >> >On Wed, Nov 1, 2017 at 5:36 PM, Michael Mraka
>>> >> >> ><michael.mraka at redhat.com>
>>> >> >> >wrote:
>>> >> >> >
>>> >> >> >> Vipul Sharma (DevOps):
>>> >> >> >> > Hi Robert,
>>> >> >> >> >
>>> >> >> >> > I need your 'HELP' - I went according to your
>>configuration
>>> >for
>>> >> >> >> downloading
>>> >> >> >> > RHEL repos into 'Spacewalk'  - But, I'm facing some
>issues
>>> >while
>>> >> >> >doing
>>> >> >> >> > that, Can you be humble enough to take a look into my
>>issue
>>> >--
>>> >> >> >> >
>>> >> >> >> > *This is the error -*
>>> >> >> >> >
>>> >> >> >> > 10:01:26 | Channel: rhel-base
>>> >> >> >> > 10:01:26 ======================================
>>> >> >> >> > 10:01:26 Sync of channel started.
>>> >> >> >> > 10:01:26 Repo URL:
>>> >> >> >> >
>>> >>
>>>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>> >> >> >> > 10:01:27 ERROR: failure: repodata/repomd.xml from
>>> >> >> >> > content_dist_rhel_server_7_7Server_x86_64_os: [Errno 256]
>>No
>>> >> >more
>>> >> >> >> mirrors
>>> >> >> >> > to try.
>>> >> >> >> > *https://cdn.redhat.com/content/dist/rhel/server/7/
>>> >> >> >> 7Server/x86_64/os/repodata/repomd.xml
>>> >> >> >> > <https://cdn.redhat.com/content/dist/rhel/server/7/
>>> >> >> >> 7Server/x86_64/os/repodata/repomd.xml>:
>>> >> >> >> > [Errno 14] curl#60 - "Peer's certificate issuer has been
>>> >marked
>>> >> >as
>>> >> >> >not
>>> >> >> >> > trusted by the user."*
>>> >> >> >> > 10:01:27 Sync of channel completed in 0:00:00.
>>> >> >> >> > 10:01:27 Total time: 0:00:00
>>> >> >> >> >
>>> >> >> >> > ---------------------------------------------
>>> >> >> >> >
>>> >> >> >> > My Spacewalk server is running unauthorized CA-CERT, Is
>>this
>>> >> >> >because of
>>> >> >> >> > that ?
>>> >> >> >>
>>> >> >> >> You need a proper Red Hat Subscription to be able to
>>download
>>> >Red
>>> >> >Hat
>>> >> >> >> content from CDN.
>>> >> >> >>
>>> >> >> >> Regards,
>>> >> >> >>
>>> >> >> >> --
>>> >> >> >> Michael Mráka
>>> >> >> >> System Management Engineering, Red Hat
>>> >> >> >>
>>> >> >> >> _______________________________________________
>>> >> >> >> Spacewalk-list mailing list
>>> >> >> >> Spacewalk-list at redhat.com
>>> >> >> >> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>> >> >>
>>> >> >> For me, this sounds as one of the "signing" CA of RedHat's
>>servers
>>> >is
>>> >> >not
>>> >> >> trusted by "you".
>>> >> >>
>>> >> >> Robert
>>> >> >>
>>> >>
>>> >> Please try to curl the URL.
>>> >>
>>> >> curl -vv -1 https://....
>>> >>
>>> >> See the same error?
>>> >>
>>> >> Robert
>>> >>
>>>
>>> You have to get the "issuer" certs from RedHat (download from web?)
>>and
>>> add it to your trusted CA store
>>> Robert
>>>
>
>Not the gpg key is the problem right now.... The SSL chain cannot be
>built and verified.
>
>You have to get that fixed first.
>
>Robert
>
>_______________________________________________
>Spacewalk-list mailing list
>Spacewalk-list at redhat.com
>https://www.redhat.com/mailman/listinfo/spacewalk-list

Maybe this helps

https://access.redhat.com/solutions/189533

https://de.ssl-tools.net/subjects/477571e8e2bee6b9c91352413ac776ab13d1957b

Robert

More information about the Spacewalk-list mailing list