[Spacewalk-list] Certificat problem by client installation

Jérôme Meyer Jerome.Meyer at lcsystems.ch
Wed May 9 11:47:42 UTC 2018 

Hi Robert,

Thanks for contacting.
I've configured a static entry in /etc/hosts and test it but unfortunately the spacecmd result is the same. 
Oddly this URL (https://<dev_spacewalk>.local/rpc/api) works directly with a web browser (only http: certificate invalid)

Best regards,
Jérôme Meyer





-----Original Message-----
From: Robert Paschedag [mailto:robert.paschedag at web.de] 
Sent: Dienstag, 8. Mai 2018 20:28
To: spacewalk-list at redhat.com; Jérôme Meyer; 'spacewalk-list at redhat.com'
Subject: Re: [Spacewalk-list] Certificat problem by client installation

Am 8. Mai 2018 20:18:41 MESZ schrieb Robert Paschedag <robert.paschedag at web.de>:
>Am 8. Mai 2018 19:00:53 MESZ schrieb "Jérôme Meyer"
><Jerome.Meyer at lcsystems.ch>:
>>Dear All,
>>
>>Because our customer has some issue with his prod_spacewalk server to 
>>create new system, we decided to clone it has dev_system to do some 
>>test and troubleshooting this problem.
>>Clone and configuration to dev_spacewalk was successfully done.
>>
>>Version:
>>==================================
>>dev_spacewalk : CentOS 7.4.1708
>>spacewalk ver.: 2.4
>>
>>Steps
>>==================================
>>1) server successfully cloned
>>2) Change hostname in configuration's file
>>3) run the script with the new IP ADD :
>>/usr/bin/spacewalk-hostname-rename <ip>
>>3.1) a new SSL certificate was created
>>3.2) a private AC key was generated:
>>     Generating private CA key:
>/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY
>>4) Configuring jabber to use PostgreSQL backend because some issue.
>>5) Successfully start the service:
>>
>>Error
>>==================================
>>
>>Now, we've created a new dev_server and after the installation, we 
>>received some issue from kickstart logs:
>>
>>ERROR: Failed to connect to https://<dev_spacewalk>.local/rpc/api
>>
>>I've done an another test from this new machine:
>>
>><dev_server># spacecmd -s <dev_spacewalk> -u admin -p $(echo passwd | 
>>openssl enc -aes-128-cbc -a -d -salt -pass pass:XXXX) --debug
>>DEBUG: : False
>>DEBUG: Read configuration from /root/.spacecmd/config
>>DEBUG: Loading configuration section [spacecmd]
>>DEBUG: Current Configuration: {'username': 'admin', 'password':
>>'***********', 'server': 'dev_spacewalk'} Welcome to spacecmd, a 
>>command-line interface to Spacewalk.
>>
>>Type: 'help' for a list of commands
>>      'help <cmd>' for command-specific help
>>      'quit' to quit
>>
>>DEBUG: Configuration section [dev_spacewalk] does not exist
>>DEBUG: Connecting to https://dev_spacewalk/rpc/api
>>ERROR: <class 'ssl.SSLError'>
>>Traceback (most recent call last):
>>File "/usr/lib/python2.7/site-packages/spacecmd/misc.py", line 284, in 
>>do_login
>>    self.api_version = self.client.api.getVersion()
>>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
>>    return self.__send(self.__name, args)
>>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
>>    verbose=self.__verbose
>>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
>>    return self.single_request(host, handler, request_body, verbose)  
>>File "/usr/lib64/python2.7/xmlrpclib.py", line 1301, in
>single_request
>>    self.send_content(h, request_body)
>>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1448, in send_content
>>    connection.endheaders(request_body)
>>  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
>>    self._send_output(message_body)
>>  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
>>    self.send(msg)
>>  File "/usr/lib64/python2.7/httplib.py", line 826, in send
>>    self.connect()
>>  File "/usr/lib64/python2.7/httplib.py", line 1236, in connect
>>    server_hostname=sni_hostname)
>>  File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
>>    _context=self)
>>  File "/usr/lib64/python2.7/ssl.py", line 611, in __init__
>>    self.do_handshake()
>>  File "/usr/lib64/python2.7/ssl.py", line 833, in do_handshake
>>    self._sslobj.do_handshake()
>>SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
>>(_ssl.c:579)
>>ERROR: Failed to connect to https://<dev_spacewalk>/rpc/api
>>
>>Questions
>>==================================
>>
>>1) How can I check if certificates are ok?
>>2) Is a certificat's problem or spacewalk? Any Idea how I can 
>>debugging?
>>3) Our customer are using a selfsigned certificat, so I don't think 
>>that is a CA certificat problem?
>>4) All certificats saw ok but this file not. I don't really know how
>it
>>will be created:
>>
>><dev_server># cat /tmp/ssl-key-1
>>Certificate:
>>    Data:
>>        Version: 3 (0x2)
>>        Serial Number: 13876969005773671483 (0xc094e5c9943ecc3b)
>>    Signature Algorithm: sha1WithRSAEncryption
>>Issuer: C=CH, ST=XXXXX, L=XXXX, O=XXXX, OU=XX, 
>>CN=<prod_spacewalk>.local
>
>Your cert is created for "prod_spacewalk.local" but you are connecting 
>to a totally different name ("dev_spacewalk" (without .local)) and 
>expect it to verify...
>
>How should this work?????
>
>
>Even if you are using the correct name to connect.... Does your new 
>"client" "trust" the SW CA?
>
>Normally... the SW clients use the RHN-TRUSTED-SSL-CERT file that is 
>stored in /usr/share/rhn as CA store to "verify" the connection (tools 
>like "rhn_check")
>
>Robert

To quickly test from the new client.... Modify its /etc/hosts file and set a static entry for "prod_spacewalk.local" and set its IP to the IP of "dev_spacewalk". In case you're trusting SWs CA cert, SSL should work.

Robert

>
>
>
>
>>        Validity
>>            Not Before: Nov  4 10:50:35 2015 GMT
>>            Not After : Oct 29 10:50:35 2036 GMT
>>Subject: C=XX, ST=XXXXX, L=XXXX, O=XXXX, OU=XX, 
>>CN=<prod_spacewalk>.local
>>        Subject Public Key Info:
>>            ...
>>-----END CERTIFICATE-----
>>
>>
>>Thank you for your help in advance,
>>
>>Best regard,
>>
>>Jérôme Meyer
>>System Engineer
>>________________________________
>>[cid:image005.jpg at 01D3E6FE.E34FDD20]<http://www.lcsystems.ch/>
>>LC Systems-Engineering AG
>>
>>
>>
>>Tel.:
>>
>>+41 58 360 89 00
>>
>>Reinacherstrasse 129
>>
>>
>>
>>Fax:
>>
>>+41 58 360 89 01
>>
>>4053  Basel
>>
>>
>>
>>Direkt:
>>
>>+41 58 360 89 14
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>www.lcsystems.ch
>>
>>
>>
>>Mobile:
>>
>>+41 76 438 33 84
>>
>>
>>
>>
>>Email:
>>
>>Jerome.Meyer at lcsystems.ch
>>
>>
>>[cid:image006.jpg at 01D3E6FE.E34FDD20]<http://www.lcsystems.ch/events>
>>________________________________
>>Diese Nachricht ist ausschliesslich für den bezeichneten Adressaten 
>>oder dessen Vertreter bestimmt. Beachten Sie bitte, dass jede Form der 
>>unautorisierten Nutzung, Veröffentlichung, Vervielfältigung oder 
>>Weitergabe des Inhaltes der Email nicht gestattet ist. Sollten Sie 
>>nicht der vorgesehene Adressat dieser Email oder dessen Vertreter
>sein,
>>so bitten wir Sie, sich mit dem Absender der Email in Verbindung zu 
>>setzen und anschliessend diese Email und sämtliche Anhänge zu löschen.
>>________________________________
>>This message is exclusively for the person addressed or their 
>>representative. Any form of the unauthorized use, publication, 
>>reproduction, copying or disclosure of the content of this e-mail is 
>>not permitted. If you are not the intended recipient of this message 
>>and its contents, please notify this sender immediately and delete
>this
>>message and all its attachments subsequently.
>
>
>--
>sent from my mobile device
>
>_______________________________________________
>Spacewalk-list mailing list
>Spacewalk-list at redhat.com
>https://www.redhat.com/mailman/listinfo/spacewalk-list


--
sent from my mobile device
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5165 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20180509/323f6ab6/attachment.p7s>

More information about the Spacewalk-list mailing list