[Spacewalk-list] [EXTERNAL] Spacewalk 2.8 - Patching RHEL 6/7 Servers
Raymond Setchfield
raymond.setchfield at gmail.com
Thu Dec 13 11:43:08 UTC 2018
Hi Phil
I would be very interested in knowing if you got this working, as this is
something which I have been attempting to do.
I resolved this issue which you are experiencing by doing the following;
copy the redhat-uep.pem to your spacewalk server to the following location
#> /usr/share/pki/ca-trust-source/anchors/redhat-uep.pem
run
#> update-ca-trust
But from there I ran into authentication issues.
If you get further than I please let me know
Ray
On Thu, Dec 13, 2018 at 11:22 AM P.Cookson at bham.ac.uk <P.Cookson at bham.ac.uk>
wrote:
> Hi Graeme
>
>
>
> Thanks for your response. I could see it was a certificate issue; just not
> so sure how to resolve it.
>
>
>
> After installing Spacewalk 2.8 on a RHEL 7 server I encountered the
> following 3 errors when trying to sync a RHEL 7 repository. I found all the
> resolutions in the lists so thought I’d group them together, here, for
> quick reference.
>
>
>
> Subsequently, I’ve synced the RHEL 7 repository to the Spacewalk server
> and successfully patched a RHEL 7 client system from it tooJ
>
>
>
> *1st SYNC ERROR* - [Errno 14] curl#60 - "Peer's certificate issuer has
> been marked as not trusted by the user."
>
> *Resolution*:
>
> # cp -p /etc/rhsm/ca/redhat-uep.pem /usr/share/pki/ca-trust-source/anchors/
>
> # update-ca-trust
>
>
>
> *2nd SYNC ERROR* - [Errno 14] HTTPS Error 403 – Forbidden
>
> *Resolution*:
>
> Add Red Hat SSL Certificate details to relevant repository configuration
> page in Spacewalk Web UI.
>
> See Robert's instructions, from list, here:
> https://www.redhat.com/archives/spacewalk-list/2016-January/msg00014.html
>
>
>
> *3rd SYNC ERROR* -
> https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os/repodata/repomd.xml:
> [Errno 14] HTTPS Error 404 - Not Found
>
> *Resolution*:
>
> Amend Repository URL
>
> From
> https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os
>
> To https://cdn.redhat.com/content/dist/rhel/server/7/7*S*
> erver/x86_64/os
> <https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os>
>
>
>
> Note, if I’d followed Robert’s instructions, more diligently, I wouldn’t
> have seen this last error!
>
>
>
> I’ve also used a similar configuration for RHEL 6, too, and directly
> synced a RHEL 6 repository then successfully patched a RHEL 6 client system
> from it.
>
>
>
> Hope this is useful to others.
>
>
>
> Regards
>
> Phil
>
>
>
> *From:* spacewalk-list-bounces at redhat.com <
> spacewalk-list-bounces at redhat.com> *On Behalf Of *Graeme Fowler
> *Sent:* 11 December 2018 16:52
> *To:* spacewalk-list at redhat.com
> *Subject:* Re: [Spacewalk-list] [EXTERNAL] Spacewalk 2.8 - Patching RHEL
> 6/7 Servers
>
>
>
> Hi Phil
>
>
>
> The answer is staring you in the face in red: the RHEL repos use a
> certificate which your system doesn’t trust. You’ll need to fetch a copy of
> the cert and install it into your appropriate PKI tools on the Spacewalk
> server (part of the OS, not Spacewalk) to allow it to trust the certificate.
>
>
>
> You’re very much not the only person to have raised this on this mailing
> list – a check of the archives might help you!
>
>
>
> Graeme
>
>
>
>
>
> *From: *<spacewalk-list-bounces at redhat.com> on behalf of "
> P.Cookson at bham.ac.uk" <P.Cookson at bham.ac.uk>
> *Reply-To: *"spacewalk-list at redhat.com" <spacewalk-list at redhat.com>
> *Date: *Tuesday, 11 December 2018 at 16:39
> *To: *"spacewalk-list at redhat.com" <spacewalk-list at redhat.com>
> *Subject: *Re: [Spacewalk-list] [EXTERNAL] Spacewalk 2.8 - Patching RHEL
> 6/7 Servers
>
>
>
> Hi Jeffrey
>
>
>
> I haven’t had much success patching RHEL systems with my original proof of
> concept (PoC) environment that had Spacewalk 2.8 installed on an *OEL* 7
> server.
>
>
>
> I’ve therefore, created a 2nd PoC environment with Spacewalk 2.8
> installed on a *RHEL* 7 server, as you’ve described. I’ve left the RHEL 7
> server repo (rhel-7-server-rpms) with its default configuration, as you
> have below, but when I try and sync I see the following error:
>
>
>
> [root@<server name> yum.repos.d]# *cat
> /var/log/rhn/reposync/rhel7_x86_64.log*
>
> 2018/12/11 15:50:42 +01:00 Command: ['/usr/bin/spacewalk-repo-sync',
> '--channel', 'rhel7_x86_64', '--type', 'yum']
>
> 2018/12/11 15:50:42 +01:00 Sync of channel started.
>
> 2018/12/11 15:50:42 +01:00
>
> 2018/12/11 15:50:42 +01:00 Processing repository with URL:
> https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os
>
> 2018/12/11 15:50:43 +01:00 ERROR: failure: repodata/repomd.xml from
> rhel7_x86_64: [Errno 256] No more mirrors to try.
>
>
> https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os/repodata/repomd.xml:
> [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
> trusted by the user."
>
> 2018/12/11 15:50:43 +01:00 ERROR: failure: repodata/repomd.xml from
> rhel7_x86_64: [Errno 256] No more mirrors to try.
>
>
> https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os/repodata/repomd.xml:
> [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
> trusted by the user."
>
> 2018/12/11 15:50:43 +01:00 Sync of channel completed in 0:00:00.
>
> [root@<server name>yum.repos.d]#
>
>
>
> Did you perform some additional configuration perhaps/any ideas? Might be
> useful if you could forward a screen dump of your channel/repo setup screen
> for RHEL 7, from the Web UI, too?
>
>
>
> Regards
>
> Phil
>
>
>
>
>
>
>
> *From:* spacewalk-list-bounces at redhat.com <
> spacewalk-list-bounces at redhat.com> *On Behalf Of *
> Jeffrey.Irwin at rivertechllc.com
> *Sent:* 27 November 2018 14:21
> *To:* spacewalk-list at redhat.com
> *Subject:* Re: [Spacewalk-list] [EXTERNAL] Spacewalk 2.8 - Patching RHEL
> 6/7 Servers
>
>
>
> RHEL 6 (my mirror repo) pulling from RH
>
>
>
> [rhel-6-server-rpms]
>
> metadata_expire = 86400
>
> sslclientcert = /etc/pki/entitlement/3922910052842520258.pem
>
> baseurl =
> https://cdn.redhat.com/content/dist/rhel/server/6/$releasever/$basearch/os
>
> ui_repoid_vars = releasever basearch
>
> sslverify = 1
>
> name = Red Hat Enterprise Linux 6 Server (RPMs)
>
> sslclientkey = /etc/pki/entitlement/3922910052842520258-key.pem
>
> gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
>
> enabled = 1
>
> sslcacert = /etc/rhsm/ca/redhat-uep.pem
>
> gpgcheck = 1
>
>
> Spacewalk pulling from mirror (above)
>
> [rhel-6-server-rpms]
>
> name = Red Hat Enterprise Linux 6 Server (RPMs)
>
> baseurl = https://xxx.xxx.xxx.xxx/rhel-6-server-rpms/
>
> enabled = 1
>
> gpgcheck = 1
>
> gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
>
>
>
>
>
> RHEL 7
>
>
>
> [rhel-7-server-rpms]
>
> metadata_expire = 86400
>
> sslclientcert = /etc/pki/entitlement/redhat.pem
>
> baseurl =
> https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os
>
> ui_repoid_vars = releasever basearch
>
> sslverify = 1
>
> name = Red Hat Enterprise Linux 7 Server (RPMs)
>
> sslclientkey = /etc/pki/entitlement/redhat-key.pem
>
> gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
>
> enabled = 1
>
> sslcacert = /etc/rhsm/ca/redhat-uep.pem
>
> gpgcheck = 1
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------
>
> *From:* spacewalk-list-bounces at redhat.com <
> spacewalk-list-bounces at redhat.com> on behalf of P.Cookson at bham.ac.uk <
> P.Cookson at bham.ac.uk>
> *Sent:* Tuesday, November 27, 2018 4:16 AM
> *To:* spacewalk-list at redhat.com
> *Subject:* Re: [Spacewalk-list] [EXTERNAL] Spacewalk 2.8 - Patching RHEL
> 6/7 Servers
>
>
>
> Hi Jeffrey
>
>
>
> Thanks for your reply. It seems I would have been better off by starting
> with installing Spacewalk on a RHEL 7 server rather than an OL 7 server
> then? Can you just clarify/confirm what URL’s you’ve configured for the
> RHEL 6/7 repositories please (obviously, for the RHEL 6 local, just take
> out any sensitive information)?
>
>
>
> Regards
>
> Phil
>
>
>
> *From:* spacewalk-list-bounces at redhat.com <
> spacewalk-list-bounces at redhat.com> *On Behalf Of *
> Jeffrey.Irwin at rivertechllc.com
> *Sent:* 26 November 2018 19:58
> *To:* spacewalk-list at redhat.com
> *Subject:* Re: [Spacewalk-list] [EXTERNAL] Spacewalk 2.8 - Patching RHEL
> 6/7 Servers
>
>
>
> I have been able to do this by building a rhel 6 server and creating a
> local repo mirror. I then created a rhel 7 and installed spacewalk. That
> way i have the entitlements for rhel 6 and 7 covered. From there, I set up
> the channels and pointed the rhel 7 to the redhat network, and the rhel 6
> was pointed to my local repo server. I can now get all the rhel 6 and 7
> patches into spacewalk.
> ------------------------------
>
> *From:* spacewalk-list-bounces at redhat.com <
> spacewalk-list-bounces at redhat.com> on behalf of P.Cookson at bham.ac.uk <
> P.Cookson at bham.ac.uk>
> *Sent:* Monday, November 26, 2018 7:20 AM
> *To:* spacewalk-list at redhat.com
> *Subject:* [EXTERNAL] [Spacewalk-list] Spacewalk 2.8 - Patching RHEL 6/7
> Servers
>
>
>
> Good afternoon
>
>
>
> I’m currently looking in to options for introducing a single centralised
> patching solution for both Oracle Linux 6/7 and RHEL 6/7 systems. There are
> about 100 Oracle Linux servers and 50 RHEL servers. I’m starting with the
> Spacewalk product and therefore, built a proof of concept environment by
> installing Spacewalk 2.8 on an Oracle 7 system. Subsequently, I’ve added
> channels/repositories for Oracle 6/7 and successfully patched a number of
> test client systems.
>
> However, I can’t seem to obtain clear instructions for how to patch RHEL
> 6/7 systems using Spacewalk. I believe the functionality of Red Hat
> Satellite and Spacewalk is basically the same but the ability to connect
> directly to RHN to synchronize software repositories and errata's has been
> disabled. I’ve seen some tentative clues that this can be circumvented as
> well as some reference to using “mrepo” but the latter just seems over
> complicated really.
>
>
>
> Alternatively, if Red Hat Satellite is purchased to patch the RHEL 6/7
> servers, has anyone had success with using it to patch Oracle 6/7 servers?
>
>
>
> In addition to patching, I also need to investigate their provisioning
> capabilities too.
>
>
>
> Regards
>
> Phil
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20181213/ccd590cb/attachment.htm>
More information about the Spacewalk-list
mailing list