[Spacewalk-list] Certificat problem by client installation

Robert Paschedag robert.paschedag at web.de
Wed May 9 14:49:16 UTC 2018 


> Gesendet: Mittwoch, 09. Mai 2018 um 13:47 Uhr
> Von: "Jérôme Meyer" <Jerome.Meyer at lcsystems.ch>
> An: "'Robert Paschedag'" <robert.paschedag at web.de>, "spacewalk-list at redhat.com" <spacewalk-list at redhat.com>, "'spacewalk-list at redhat.com'" <spacewalk-list at redhat.com>
> Betreff: RE: [Spacewalk-list] Certificat problem by client installation
>
> Hi Robert,
> 
> Thanks for contacting.
> I've configured a static entry in /etc/hosts and test it but unfortunately the spacecmd result is the same. 
> Oddly this URL (https://<dev_spacewalk>.local/rpc/api) works directly with a web browser (only http: certificate invalid)
> 
> Best regards,
> Jérôme Meyer
> 
> 
Well Jérôme.....you got it wrong.

You need to connect (and re-run your tests) to "prod_spacewalk.local"! That's why you made the static entry within /etc/hosts.
So when you now say...."go to prod_spacewalk.local" your client is connecting to your "dev_spacewalk" system.
Then, there should not be an SSL error if the name you used to connect is EXACTLY THE SAME as the name within the SSL (CN=...)
Robert

> 
> 
> 
> -----Original Message-----
> From: Robert Paschedag [mailto:robert.paschedag at web.de] 
> Sent: Dienstag, 8. Mai 2018 20:28
> To: spacewalk-list at redhat.com; Jérôme Meyer; 'spacewalk-list at redhat.com'
> Subject: Re: [Spacewalk-list] Certificat problem by client installation
> 
> Am 8. Mai 2018 20:18:41 MESZ schrieb Robert Paschedag <robert.paschedag at web.de>:
> >Am 8. Mai 2018 19:00:53 MESZ schrieb "Jérôme Meyer"
> ><Jerome.Meyer at lcsystems.ch>:
> >>Dear All,
> >>
> >>Because our customer has some issue with his prod_spacewalk server to 
> >>create new system, we decided to clone it has dev_system to do some 
> >>test and troubleshooting this problem.
> >>Clone and configuration to dev_spacewalk was successfully done.
> >>
> >>Version:
> >>==================================
> >>dev_spacewalk : CentOS 7.4.1708
> >>spacewalk ver.: 2.4
> >>
> >>Steps
> >>==================================
> >>1) server successfully cloned
> >>2) Change hostname in configuration's file
> >>3) run the script with the new IP ADD :
> >>/usr/bin/spacewalk-hostname-rename <ip>
> >>3.1) a new SSL certificate was created
> >>3.2) a private AC key was generated:
> >>     Generating private CA key:
> >/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY
> >>4) Configuring jabber to use PostgreSQL backend because some issue.
> >>5) Successfully start the service:
> >>
> >>Error
> >>==================================
> >>
> >>Now, we've created a new dev_server and after the installation, we 
> >>received some issue from kickstart logs:
> >>
> >>ERROR: Failed to connect to https://<dev_spacewalk>.local/rpc/api
> >>
> >>I've done an another test from this new machine:
> >>
> >><dev_server># spacecmd -s <dev_spacewalk> -u admin -p $(echo passwd | 
> >>openssl enc -aes-128-cbc -a -d -salt -pass pass:XXXX) --debug
> >>DEBUG: : False
> >>DEBUG: Read configuration from /root/.spacecmd/config
> >>DEBUG: Loading configuration section [spacecmd]
> >>DEBUG: Current Configuration: {'username': 'admin', 'password':
> >>'***********', 'server': 'dev_spacewalk'} Welcome to spacecmd, a 
> >>command-line interface to Spacewalk.
> >>
> >>Type: 'help' for a list of commands
> >>      'help <cmd>' for command-specific help
> >>      'quit' to quit
> >>
> >>DEBUG: Configuration section [dev_spacewalk] does not exist
> >>DEBUG: Connecting to https://dev_spacewalk/rpc/api
> >>ERROR: <class 'ssl.SSLError'>
> >>Traceback (most recent call last):
> >>File "/usr/lib/python2.7/site-packages/spacecmd/misc.py", line 284, in 
> >>do_login
> >>    self.api_version = self.client.api.getVersion()
> >>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
> >>    return self.__send(self.__name, args)
> >>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
> >>    verbose=self.__verbose
> >>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
> >>    return self.single_request(host, handler, request_body, verbose)  
> >>File "/usr/lib64/python2.7/xmlrpclib.py", line 1301, in
> >single_request
> >>    self.send_content(h, request_body)
> >>  File "/usr/lib64/python2.7/xmlrpclib.py", line 1448, in send_content
> >>    connection.endheaders(request_body)
> >>  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
> >>    self._send_output(message_body)
> >>  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
> >>    self.send(msg)
> >>  File "/usr/lib64/python2.7/httplib.py", line 826, in send
> >>    self.connect()
> >>  File "/usr/lib64/python2.7/httplib.py", line 1236, in connect
> >>    server_hostname=sni_hostname)
> >>  File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
> >>    _context=self)
> >>  File "/usr/lib64/python2.7/ssl.py", line 611, in __init__
> >>    self.do_handshake()
> >>  File "/usr/lib64/python2.7/ssl.py", line 833, in do_handshake
> >>    self._sslobj.do_handshake()
> >>SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
> >>(_ssl.c:579)
> >>ERROR: Failed to connect to https://<dev_spacewalk>/rpc/api
> >>
> >>Questions
> >>==================================
> >>
> >>1) How can I check if certificates are ok?
> >>2) Is a certificat's problem or spacewalk? Any Idea how I can 
> >>debugging?
> >>3) Our customer are using a selfsigned certificat, so I don't think 
> >>that is a CA certificat problem?
> >>4) All certificats saw ok but this file not. I don't really know how
> >it
> >>will be created:
> >>
> >><dev_server># cat /tmp/ssl-key-1
> >>Certificate:
> >>    Data:
> >>        Version: 3 (0x2)
> >>        Serial Number: 13876969005773671483 (0xc094e5c9943ecc3b)
> >>    Signature Algorithm: sha1WithRSAEncryption
> >>Issuer: C=CH, ST=XXXXX, L=XXXX, O=XXXX, OU=XX, 
> >>CN=<prod_spacewalk>.local
> >
> >Your cert is created for "prod_spacewalk.local" but you are connecting 
> >to a totally different name ("dev_spacewalk" (without .local)) and 
> >expect it to verify...
> >
> >How should this work?????
> >
> >
> >Even if you are using the correct name to connect.... Does your new 
> >"client" "trust" the SW CA?
> >
> >Normally... the SW clients use the RHN-TRUSTED-SSL-CERT file that is 
> >stored in /usr/share/rhn as CA store to "verify" the connection (tools 
> >like "rhn_check")
> >
> >Robert
> 
> To quickly test from the new client.... Modify its /etc/hosts file and set a static entry for "prod_spacewalk.local" and set its IP to the IP of "dev_spacewalk". In case you're trusting SWs CA cert, SSL should work.
> 
> Robert
> 
> >
> >
> >
> >
> >>        Validity
> >>            Not Before: Nov  4 10:50:35 2015 GMT
> >>            Not After : Oct 29 10:50:35 2036 GMT
> >>Subject: C=XX, ST=XXXXX, L=XXXX, O=XXXX, OU=XX, 
> >>CN=<prod_spacewalk>.local
> >>        Subject Public Key Info:
> >>            ...
> >>-----END CERTIFICATE-----
> >>
> >>
> >>Thank you for your help in advance,
> >>
> >>Best regard,
> >>
> >>Jérôme Meyer
> >>System Engineer
> >>________________________________
> >>[cid:image005.jpg at 01D3E6FE.E34FDD20]<http://www.lcsystems.ch/>
> >>LC Systems-Engineering AG
> >>
> >>
> >>
> >>Tel.:
> >>
> >>+41 58 360 89 00
> >>
> >>Reinacherstrasse 129
> >>
> >>
> >>
> >>Fax:
> >>
> >>+41 58 360 89 01
> >>
> >>4053  Basel
> >>
> >>
> >>
> >>Direkt:
> >>
> >>+41 58 360 89 14
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>www.lcsystems.ch
> >>
> >>
> >>
> >>Mobile:
> >>
> >>+41 76 438 33 84
> >>
> >>
> >>
> >>
> >>Email:
> >>
> >>Jerome.Meyer at lcsystems.ch
> >>
> >>
> >>[cid:image006.jpg at 01D3E6FE.E34FDD20]<http://www.lcsystems.ch/events>
> >>________________________________
> >>Diese Nachricht ist ausschliesslich für den bezeichneten Adressaten 
> >>oder dessen Vertreter bestimmt. Beachten Sie bitte, dass jede Form der 
> >>unautorisierten Nutzung, Veröffentlichung, Vervielfältigung oder 
> >>Weitergabe des Inhaltes der Email nicht gestattet ist. Sollten Sie 
> >>nicht der vorgesehene Adressat dieser Email oder dessen Vertreter
> >sein,
> >>so bitten wir Sie, sich mit dem Absender der Email in Verbindung zu 
> >>setzen und anschliessend diese Email und sämtliche Anhänge zu löschen.
> >>________________________________
> >>This message is exclusively for the person addressed or their 
> >>representative. Any form of the unauthorized use, publication, 
> >>reproduction, copying or disclosure of the content of this e-mail is 
> >>not permitted. If you are not the intended recipient of this message 
> >>and its contents, please notify this sender immediately and delete
> >this
> >>message and all its attachments subsequently.
> >
> >
> >--
> >sent from my mobile device
> >
> >_______________________________________________
> >Spacewalk-list mailing list
> >Spacewalk-list at redhat.com
> >https://www.redhat.com/mailman/listinfo/spacewalk-list
> 
> 
> --
> sent from my mobile device
>

More information about the Spacewalk-list mailing list