[Spacewalk-list] Certificat problem by client installation

Robert Paschedag robert.paschedag at web.de
Tue May 8 18:18:41 UTC 2018 

Am 8. Mai 2018 19:00:53 MESZ schrieb "Jérôme Meyer" <Jerome.Meyer at lcsystems.ch>:
>Dear All,
>
>Because our customer has some issue with his prod_spacewalk server to
>create new system, we decided to clone it has dev_system to do some
>test and troubleshooting this problem.
>Clone and configuration to dev_spacewalk was successfully done.
>
>Version:
>==================================
>dev_spacewalk : CentOS 7.4.1708
>spacewalk ver.: 2.4
>
>Steps
>==================================
>1) server successfully cloned
>2) Change hostname in configuration's file
>3) run the script with the new IP ADD :
>/usr/bin/spacewalk-hostname-rename <ip>
>3.1) a new SSL certificate was created
>3.2) a private AC key was generated:
>     Generating private CA key: /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY
>4) Configuring jabber to use PostgreSQL backend because some issue.
>5) Successfully start the service:
>
>Error
>==================================
>
>Now, we've created a new dev_server and after the installation, we
>received some issue from kickstart logs:
>
>ERROR: Failed to connect to https://<dev_spacewalk>.local/rpc/api
>
>I've done an another test from this new machine:
>
><dev_server># spacecmd -s <dev_spacewalk> -u admin -p $(echo passwd |
>openssl enc -aes-128-cbc -a -d -salt -pass pass:XXXX) --debug
>DEBUG: : False
>DEBUG: Read configuration from /root/.spacecmd/config
>DEBUG: Loading configuration section [spacecmd]
>DEBUG: Current Configuration: {'username': 'admin', 'password':
>'***********', 'server': 'dev_spacewalk'}
>Welcome to spacecmd, a command-line interface to Spacewalk.
>
>Type: 'help' for a list of commands
>      'help <cmd>' for command-specific help
>      'quit' to quit
>
>DEBUG: Configuration section [dev_spacewalk] does not exist
>DEBUG: Connecting to https://dev_spacewalk/rpc/api
>ERROR: <class 'ssl.SSLError'>
>Traceback (most recent call last):
>File "/usr/lib/python2.7/site-packages/spacecmd/misc.py", line 284, in
>do_login
>    self.api_version = self.client.api.getVersion()
>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
>    return self.__send(self.__name, args)
>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
>    verbose=self.__verbose
>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
>    return self.single_request(host, handler, request_body, verbose)
> File "/usr/lib64/python2.7/xmlrpclib.py", line 1301, in single_request
>    self.send_content(h, request_body)
>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1448, in send_content
>    connection.endheaders(request_body)
>  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
>    self._send_output(message_body)
>  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
>    self.send(msg)
>  File "/usr/lib64/python2.7/httplib.py", line 826, in send
>    self.connect()
>  File "/usr/lib64/python2.7/httplib.py", line 1236, in connect
>    server_hostname=sni_hostname)
>  File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
>    _context=self)
>  File "/usr/lib64/python2.7/ssl.py", line 611, in __init__
>    self.do_handshake()
>  File "/usr/lib64/python2.7/ssl.py", line 833, in do_handshake
>    self._sslobj.do_handshake()
>SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
>(_ssl.c:579)
>ERROR: Failed to connect to https://<dev_spacewalk>/rpc/api
>
>Questions
>==================================
>
>1) How can I check if certificates are ok?
>2) Is a certificat's problem or spacewalk? Any Idea how I can
>debugging?
>3) Our customer are using a selfsigned certificat, so I don't think
>that is a CA certificat problem?
>4) All certificats saw ok but this file not. I don't really know how it
>will be created:
>
><dev_server># cat /tmp/ssl-key-1
>Certificate:
>    Data:
>        Version: 3 (0x2)
>        Serial Number: 13876969005773671483 (0xc094e5c9943ecc3b)
>    Signature Algorithm: sha1WithRSAEncryption
>Issuer: C=CH, ST=XXXXX, L=XXXX, O=XXXX, OU=XX,
>CN=<prod_spacewalk>.local

Your cert is created for "prod_spacewalk.local" but you are connecting to a totally different name ("dev_spacewalk" (without .local)) and expect it to verify...

How should this work?????


Even if you are using the correct name to connect.... Does your new "client" "trust" the SW CA?

Normally... the SW clients use the RHN-TRUSTED-SSL-CERT file that is stored in /usr/share/rhn as CA store to "verify" the connection (tools like "rhn_check")

Robert




>        Validity
>            Not Before: Nov  4 10:50:35 2015 GMT
>            Not After : Oct 29 10:50:35 2036 GMT
>Subject: C=XX, ST=XXXXX, L=XXXX, O=XXXX, OU=XX,
>CN=<prod_spacewalk>.local
>        Subject Public Key Info:
>            ...
>-----END CERTIFICATE-----
>
>
>Thank you for your help in advance,
>
>Best regard,
>
>Jérôme Meyer
>System Engineer
>________________________________
>[cid:image005.jpg at 01D3E6FE.E34FDD20]<http://www.lcsystems.ch/>
>LC Systems-Engineering AG
>
>
>
>Tel.:
>
>+41 58 360 89 00
>
>Reinacherstrasse 129
>
>
>
>Fax:
>
>+41 58 360 89 01
>
>4053  Basel
>
>
>
>Direkt:
>
>+41 58 360 89 14
>
>
>
>
>
>
>
>
>
>www.lcsystems.ch
>
>
>
>Mobile:
>
>+41 76 438 33 84
>
>
>
>
>Email:
>
>Jerome.Meyer at lcsystems.ch
>
>
>[cid:image006.jpg at 01D3E6FE.E34FDD20]<http://www.lcsystems.ch/events>
>________________________________
>Diese Nachricht ist ausschliesslich für den bezeichneten Adressaten
>oder dessen Vertreter bestimmt. Beachten Sie bitte, dass jede Form der
>unautorisierten Nutzung, Veröffentlichung, Vervielfältigung oder
>Weitergabe des Inhaltes der Email nicht gestattet ist. Sollten Sie
>nicht der vorgesehene Adressat dieser Email oder dessen Vertreter sein,
>so bitten wir Sie, sich mit dem Absender der Email in Verbindung zu
>setzen und anschliessend diese Email und sämtliche Anhänge zu löschen.
>________________________________
>This message is exclusively for the person addressed or their
>representative. Any form of the unauthorized use, publication,
>reproduction, copying or disclosure of the content of this e-mail is
>not permitted. If you are not the intended recipient of this message
>and its contents, please notify this sender immediately and delete this
>message and all its attachments subsequently.


-- 
sent from my mobile device

More information about the Spacewalk-list mailing list