[Spacewalk-list] "Peer's certificate issuer has been marked as not trusted by the user."
Vipul Sharma (DevOps)
sharma.vipul at in.g4s.com
Thu Nov 2 12:58:58 UTC 2017
Let me check --
Thanks
On Thu, Nov 2, 2017 at 5:32 PM, Robert Paschedag <robert.paschedag at web.de>
wrote:
> Am 2. November 2017 09:40:02 MEZ schrieb Robert Paschedag <
> robert.paschedag at web.de>:
> >Am 2. November 2017 08:47:00 MEZ schrieb "Vipul Sharma (DevOps)"
> ><sharma.vipul at in.g4s.com>:
> >>Hi,
> >>
> >>I imported the new keyfile downloaded from Red-Hat -
> >>
> >>
> >>
> >>*gpg: key FD431D51: public key "Red Hat, Inc. (release key 2)
> >><security at redhat.com <security at redhat.com>>" importedgpg: Total number
> >>processed: 1gpg: imported: 1 (RSA: 1)*
> >>
> >>
> >>But, If we run gpg --list-keys - It shows me 2 different versions of
> >>that,
> >>What's that about, Any ideas?
> >>
> >>
> >>
> >>
> >>
> >>*pub 1024D/F24F1B08 2002-04-23 [expired: 2004-04-22]uid
> >>Red Hat, Inc (Red Hat Network) <rhn-feedback at redhat.com
> >><rhn-feedback at redhat.com>>pub 4096R/FD431D51
> >>2009-10-22uid Red Hat, Inc. (release key 2)
> >><security at redhat.com <security at redhat.com>>*
> >>
> >>
> >>
> >>Also, I checked ca-bundle.crt, I found no chain for Red-Hat over there
> >>-
> >>
> >>Thanks
> >>Vipul
> >>
> >>On Thu, Nov 2, 2017 at 12:58 PM, Robert Paschedag
> >><robert.paschedag at web.de>
> >>wrote:
> >>
> >>> Am 2. November 2017 08:24:10 MEZ schrieb "Vipul Sharma (DevOps)" <
> >>> sharma.vipul at in.g4s.com>:
> >>> >I have tested 2 different URL'S -
> >>> >
> >>> >*This one was was from your article -*
> >>> >
> >>> >curl -v https://cdn.redhat.com/content/dist/rhel/server/7/
> >>> >7Server/x86_64/os/repodata/repomd.xml
> >>> >* About to connect() to cdn.redhat.com port 443 (#0)
> >>> >* Trying 2.16.30.83...
> >>> >* Connected to cdn.redhat.com (2.16.30.83) port 443 (#0)
> >>> >* Initializing NSS with certpath: sql:/etc/pki/nssdb
> >>> >* CAfile: /etc/pki/tls/certs/ca-bundle.crt
> >>> > CApath: none
> >>> >* Server certificate:
> >>> >* subject: CN=cdn.redhat.com,OU=Red Hat Network,O=Red
> >>> >Hat,L=Raleigh,ST=North Carolina,C=US
> >>> >* start date: May 14 19:48:02 2014 GMT
> >>> >* expire date: May 11 19:48:02 2024 GMT
> >>> >* common name: cdn.redhat.com
> >>> >* issuer: E=ca-support at redhat.com,CN=Red Hat Entitlement
> >>> >Operations
> >>> >Authority,OU=Red Hat Network,O="Red Hat, Inc.",ST=North
> >>Carolina,C=US
> >>> >* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
> >>> >* Peer's certificate issuer has been marked as not trusted by the
> >>user.
> >>> >* Closing connection 0
> >>> >curl: (60) Peer's certificate issuer has been marked as not trusted
> >>by
> >>> >the
> >>> >user.
> >>> >
> >>> >-----------------------------------------------------------
> >>> >
> >>> >*This is from Google-Cloud - Pretty much the same result -*
> >>> >
> >>> >curl -v https://cds.rhel.updates.googlecloud.com/pulp/mirror/
> >>>
> >>>content/dist/rhel/rhui/server/7/7Server/x86_64/os/repodata/repomd.xml
> >>> >* About to connect() to cds.rhel.updates.googlecloud.com port 443
> >>(#0)
> >>> >* Trying 23.236.57.179...
> >>> >* Connected to cds.rhel.updates.googlecloud.com (23.236.57.179)
> >port
> >>> >443
> >>> >(#0)
> >>> >* Initializing NSS with certpath: sql:/etc/pki/nssdb
> >>> >* CAfile: /etc/pki/tls/certs/ca-bundle.crt
> >>> > CApath: none
> >>> >* Server certificate:
> >>> >* subject:
> >>>
> >>>CN=cds.rhel.updates.googlecloud.com,OU=SomeOrgUnit,O=SomeOrg,ST=North
> >>> >Carolina,C=US
> >>> >* start date: Sep 23 05:18:30 2017 GMT
> >>> >* expire date: Sep 25 05:18:30 2037 GMT
> >>> >* common name: cds.rhel.updates.googlecloud.com
> >>> >* issuer: CN=RHUI Certificate
> >>> >Authority,OU=SomeOrgUnit,O=SomeOrg,L=Raleigh,ST=North
> >>> >Carolina,C=US
> >>> >* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)*
> >>> >* Peer's certificate issuer has been marked as not trusted by the
> >>user.
> >>> >* Closing connection 0
> >>> >curl: (60) Peer's certificate issuer has been marked as not trusted
> >>by
> >>> >the
> >>> >user.
> >>> >
> >>> >Thanks
> >>> >
> >>> >On Thu, Nov 2, 2017 at 12:36 PM, Robert Paschedag
> >>> ><robert.paschedag at web.de>
> >>> >wrote:
> >>> >
> >>> >> Am 2. November 2017 07:29:16 MEZ schrieb "Vipul Sharma (DevOps)"
> ><
> >>> >> sharma.vipul at in.g4s.com>:
> >>> >> >In spacewalk, I had to manually create this file -->*
> >>> >> >file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release*, & then
> >>> >copy/pasted
> >>> >> >the
> >>> >> >KEY from RHEL server to this location in Spacewalk server.
> >>> >> >
> >>> >> >Some Doubts :-
> >>> >> >
> >>> >> >Do this requires importing this file ??
> >>> >> >
> >>> >> >I'm running spacewalk without CA certified certificate, Does
> >that
> >>> >> >impact
> >>> >> >the overall config for RHEL Repo in Spacewalk.
> >>> >> >
> >>> >> >Thanks
> >>> >> >Vipul
> >>> >> >
> >>> >> >On Thu, Nov 2, 2017 at 11:49 AM, Robert Paschedag
> >>> >> ><robert.paschedag at web.de>
> >>> >> >wrote:
> >>> >> >
> >>> >> >> Am 2. November 2017 05:13:12 MEZ schrieb "Vipul Sharma
> >>(DevOps)" <
> >>> >> >> sharma.vipul at in.g4s.com>:
> >>> >> >> >Hi Michael,
> >>> >> >> >
> >>> >> >> >We are using registered system through 'Google-Cloud' - I
> >have
> >>> >> >copied
> >>> >> >> >everything very carefully from RHEL.repo into spacewalk,
> >>> >Including
> >>> >> >all
> >>> >> >> >the
> >>> >> >> >.cert & .pem files.
> >>> >> >> >
> >>> >> >> >Just unable to figure out what's wrong with it for the time
> >>being
> >>> >-
> >>> >> >> >
> >>> >> >> >Thanks
> >>> >> >> >
> >>> >> >> >On Wed, Nov 1, 2017 at 5:36 PM, Michael Mraka
> >>> >> >> ><michael.mraka at redhat.com>
> >>> >> >> >wrote:
> >>> >> >> >
> >>> >> >> >> Vipul Sharma (DevOps):
> >>> >> >> >> > Hi Robert,
> >>> >> >> >> >
> >>> >> >> >> > I need your 'HELP' - I went according to your
> >>configuration
> >>> >for
> >>> >> >> >> downloading
> >>> >> >> >> > RHEL repos into 'Spacewalk' - But, I'm facing some
> >issues
> >>> >while
> >>> >> >> >doing
> >>> >> >> >> > that, Can you be humble enough to take a look into my
> >>issue
> >>> >--
> >>> >> >> >> >
> >>> >> >> >> > *This is the error -*
> >>> >> >> >> >
> >>> >> >> >> > 10:01:26 | Channel: rhel-base
> >>> >> >> >> > 10:01:26 ======================================
> >>> >> >> >> > 10:01:26 Sync of channel started.
> >>> >> >> >> > 10:01:26 Repo URL:
> >>> >> >> >> >
> >>> >>
> >>>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
> >>> >> >> >> > 10:01:27 ERROR: failure: repodata/repomd.xml from
> >>> >> >> >> > content_dist_rhel_server_7_7Server_x86_64_os: [Errno 256]
> >>No
> >>> >> >more
> >>> >> >> >> mirrors
> >>> >> >> >> > to try.
> >>> >> >> >> > *https://cdn.redhat.com/content/dist/rhel/server/7/
> >>> >> >> >> 7Server/x86_64/os/repodata/repomd.xml
> >>> >> >> >> > <https://cdn.redhat.com/content/dist/rhel/server/7/
> >>> >> >> >> 7Server/x86_64/os/repodata/repomd.xml>:
> >>> >> >> >> > [Errno 14] curl#60 - "Peer's certificate issuer has been
> >>> >marked
> >>> >> >as
> >>> >> >> >not
> >>> >> >> >> > trusted by the user."*
> >>> >> >> >> > 10:01:27 Sync of channel completed in 0:00:00.
> >>> >> >> >> > 10:01:27 Total time: 0:00:00
> >>> >> >> >> >
> >>> >> >> >> > ---------------------------------------------
> >>> >> >> >> >
> >>> >> >> >> > My Spacewalk server is running unauthorized CA-CERT, Is
> >>this
> >>> >> >> >because of
> >>> >> >> >> > that ?
> >>> >> >> >>
> >>> >> >> >> You need a proper Red Hat Subscription to be able to
> >>download
> >>> >Red
> >>> >> >Hat
> >>> >> >> >> content from CDN.
> >>> >> >> >>
> >>> >> >> >> Regards,
> >>> >> >> >>
> >>> >> >> >> --
> >>> >> >> >> Michael Mráka
> >>> >> >> >> System Management Engineering, Red Hat
> >>> >> >> >>
> >>> >> >> >> _______________________________________________
> >>> >> >> >> Spacewalk-list mailing list
> >>> >> >> >> Spacewalk-list at redhat.com
> >>> >> >> >> https://www.redhat.com/mailman/listinfo/spacewalk-list
> >>> >> >>
> >>> >> >> For me, this sounds as one of the "signing" CA of RedHat's
> >>servers
> >>> >is
> >>> >> >not
> >>> >> >> trusted by "you".
> >>> >> >>
> >>> >> >> Robert
> >>> >> >>
> >>> >>
> >>> >> Please try to curl the URL.
> >>> >>
> >>> >> curl -vv -1 https://....
> >>> >>
> >>> >> See the same error?
> >>> >>
> >>> >> Robert
> >>> >>
> >>>
> >>> You have to get the "issuer" certs from RedHat (download from web?)
> >>and
> >>> add it to your trusted CA store
> >>> Robert
> >>>
> >
> >Not the gpg key is the problem right now.... The SSL chain cannot be
> >built and verified.
> >
> >You have to get that fixed first.
> >
> >Robert
> >
> >_______________________________________________
> >Spacewalk-list mailing list
> >Spacewalk-list at redhat.com
> >https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> Maybe this helps
>
> https://access.redhat.com/solutions/189533
>
> https://de.ssl-tools.net/subjects/477571e8e2bee6b9c91352413ac776ab13d1957b
>
> Robert
>
--
Please consider the environment before printing this email.
*********************************************************************
This communication may contain information which is confidential, personal
and/or privileged. It is for the exclusive use of the intended recipient(s).
If you are not the intended recipient(s), please note that any
distribution, forwarding, copying or use of this communication or the
information in it is strictly prohibited. If you have received it in error
please contact the sender immediately by return e-mail. Please then delete
the e-mail and any copies of it and do not use or disclose its contents to
any person.
Any personal views expressed in this e-mail are those of the individual
sender and the company does not endorse or accept responsibility for them.
Prior to taking any action based upon this e-mail message, you should seek
appropriate confirmation of its authenticity.
This message has been checked for viruses on behalf of the company.
*********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20171102/a6cde375/attachment.htm>
More information about the Spacewalk-list
mailing list