[Spacewalk-list] Registration to the new server via rhnreg_ks returns an SSL error
Zhou, Rui A. (NSB - CN/Shanghai)
rui.a.zhou at nokia-sbell.com
Fri Mar 1 11:01:39 UTC 2019
Very sad to say, they are the same, I think if the file in hosts has some impacts? I find I have not write the configuration before. I will try and tell the result later.
[root at spacewalk-server pxelinux.cfg]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
135.251.206.139 spacewalk-server
Client:
[root at FNSHA172 yum.repos.d]# cat /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:88:95:56:dd:6c:6d:0d
Server:
[root at spacewalk-server ~]# cat /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:88:95:56:dd:6c:6d:0d
-----Original Message-----
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of P.Cookson at bham.ac.uk
Sent: 2019年3月1日 17:09
To: robert.paschedag at web.de; spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Registration to the new server via rhnreg_ks returns an SSL error
Whether you re-installed the Spacewalk application on the same server or a different one, a new certificate should have been produced after running "spacewalk-setup."
Subsequently, the certificate can be viewed on the server:
cat /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
OR
WebUI -> Systems (Top Menu) -> Kickstart (Left Menu) -> GPG and SSL Keys -> RHN-ORG-TRUSTED-SSL-CERT -> Key contents
If everything has been done correctly, to register the client, the certificate can be viewed on there too:
cat /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
If they don't match, you'll have a problem!
Like Robert says, it seems to be "just" a SSL issue really but, obviously, the certificate is being generated by the Spacewalk application installation.
Regards
Phil
-----Original Message-----
From: robert.paschedag at web.de <robert.paschedag at web.de>
Sent: 28 February 2019 16:47
To: spacewalk-list at redhat.com; Philip Cookson (IT Services) <P.Cookson at bham.ac.uk>; spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Registration to the new server via rhnreg_ks returns an SSL error
Am 28. Februar 2019 11:10:57 MEZ schrieb "P.Cookson at bham.ac.uk" <P.Cookson at bham.ac.uk>:
>Obviously, that will work but you won’t be using the secure layer or
>addressing the underlying problem!
>
>If you’re getting the same problem with a new client system I can see
>how you may think it’s a server related issue. However, the Spacewalk
>certificate is generated during installation so it would be un-usual, I
>would have thought?
>
>Did you add the certificate to the database (certutil -d
>sql:/etc/pki/nssdb -An RHN-ORG-TRUSTED-SSL-CERT -t C,, -ai
>/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT), too, as you only mention
>getting the rpm (rpm -Uvh
>http://spacewalk-server/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm)?
>
>Regards
>Phil
>
>From: spacewalk-list-bounces at redhat.com
><spacewalk-list-bounces at redhat.com> On Behalf Of
>rui.a.zhou at nokia-sbell.com
>Sent: 28 February 2019 09:51
>To: spacewalk-list at redhat.com
>Cc: Zhu, Ting (NSB - CN/Shanghai) <ting.zhu at nokia-sbell.com>
>Subject: Re: [Spacewalk-list] Registration to the new server via
>rhnreg_ks returns an SSL error
>
>
>I think this may not the problem of the client, when I try to add new
>client server it also has the error: The SSL certificate failed
>verification.
>I find this help, change the
>--serverUrl=https://spacewalk-server/XMLRPC to
>--serverUrl=http://spacewalk-server/XMLRPC. The system can be
>registerd, The reason maybe:
>
>* System did not have the correct SSL certificate.(I check, server
>and client have the same sslCACert)
> * SSL certificate was corrupted.(how to explain this?)
This is just a standard SSL issue. Nothing special with spacewalk.
If you're connecting to https://spacewalk-server/, "spacewalk-server" has to be included within the SSL certificate. And if that is missing, the certificate may be valid but you still get the verification error .
Robert
>
>
>From:
>spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.
>com> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of
>P.Cookson at bham.ac.uk<mailto:P.Cookson at bham.ac.uk>
>Sent: 2019年2月28日 17:35
>To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
>Subject: Re: [Spacewalk-list] Registration to the new server via
>rhnreg_ks returns an SSL error
>
>Hi
>
>It’s a little more involved than that! I produced these notes, for
>myself, when un-registering a system from a Dev Spacewalk Server and
>registering it with a Test Spacewalk Server. It’s effectively the same
>thing that you need to do though.
>
>
>Spacewalk does not provide an option to un-register a client system
>(similar to registering - “rhnreg_ks”) - the only option is to remove
>the client system’s profile from the Spacewalk server.
>
>To remove a client’s profile from the Spacewalk server perform these
>steps:
>
>
> 1. Log in to the Spacewalk Console.
>2. Click on the Systems tab in the top navigation bar and then click
>on the name of the system which you want to remove from the Systems
>List.
> 3. Click the Delete System link in the top-right corner of the page.
>4. Confirm system profile deletion by clicking the Delete Profile
>button.
>5. Now go to the client system and execute below command to remove the
>associated System ID file:
>
> # rm /etc/sysconfig/rhn/systemid
>
>In addition, remove Spacewalk certificate for Development and add
>certificate for Test. Then register client system with Test Spacewalk
>server:
>
># certutil -d sql:/etc/pki/nssdb -Dn RHN-ORG-TRUSTED-SSL-CERT -t C,,
>-ai /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
># rpm -ev rhn-org-trusted-ssl-cert-1.0-1.noarch
># rpm -Uvh https://<Test<https://%3cTest>
>Server>/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
># certutil -d sql:/etc/pki/nssdb -An RHN-ORG-TRUSTED-SSL-CERT -t C,,
>-ai /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
># rhnreg_ks --serverUrl=https://<Test Server>/XMLRPC
>--sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>--activationkey=[ACTIVATION KEY]
>
>
>Note, if you’re using OSAD, the service may have stopped during this
>process and therefore, will need to be re-started. I’ve also found
>that, even if it’s still running, I’ve had to restart it before actions
>were automatically picked up again:
>
> # systemctl start osad OR service osad start
>
>
>Hope this is of help?
>
>Regards
>Phil
>
>From:
>spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.
>com>
><spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat
>.com>>
>On Behalf Of
>rui.a.zhou at nokia-sbell.com<mailto:rui.a.zhou at nokia-sbell.com>
>Sent: 28 February 2019 08:57
>To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
>Cc: Zhu, Ting (NSB - CN/Shanghai)
><ting.zhu at nokia-sbell.com<mailto:ting.zhu at nokia-sbell.com>>
>Subject: [Spacewalk-list] Registration to the new server via rhnreg_ks
>returns an SSL error
>
>I re-installed the spacewalk server, and the client can not register to
>the new installed server.
>
>[root at FNSHB109 rhn]# rpm -e rhn-org-trusted-ssl-cert-1.0-1.noarch
>
>[root at FNSHB109 rhn]# rpm -Uvh
>http://spacewalk-server/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
>Retrieving
>http://spacewalk-server/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
>Preparing... #################################
>[100%]
>Updating / installing...
>1:rhn-org-trusted-ssl-cert-1.0-1 #################################
>[100%]
>
>[root at FNSHB109 rhn]# rhnreg_ks
>--serverUrl=https://spacewalk-server/XMLRPC
>--sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>--activationkey=1-centos7.6 --force --verbose
>D: rpcServer: Calling XMLRPC registration.welcome_message An error has
>occurred:
>The SSL certificate failed verification.
>See /var/log/up2date for more information
>
>[root at FNSHB109 rhn]# cat /etc/sysconfig/rhn/up2date |grep share
>sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>
>[Thu Feb 28 16:53:34 2019] up2date D: rpcServer: Calling XMLRPC
>registration.welcome_message [Thu Feb 28 16:53:34 2019] up2date
>Traceback (most recent call last):
> File "/usr/sbin/rhnreg_ks", line 215, in <module>
> cli.run()
>File "/usr/lib/python2.7/site-packages/up2date_client/rhncli.py", line
>94, in run
> sys.exit(self.main() or 0)
> File "/usr/sbin/rhnreg_ks", line 93, in main
> rhnreg.getCaps()
>File "/usr/lib/python2.7/site-packages/up2date_client/rhnreg.py", line
>264, in getCaps
> s.capabilities.validate()
>File "/usr/lib/python2.7/site-packages/up2date_client/rhnserver.py",
>line 185, in __get_capabilities
> self.registration.welcome_message()
>File "/usr/lib/python2.7/site-packages/up2date_client/rhnserver.py",
>line 84, in __call__
> raise_with_tb(up2dateErrors.SSLCertificateVerifyFailedError())
>File "/usr/lib/python2.7/site-packages/up2date_client/rhnserver.py",
>line 67, in __call__
> return rpcServer.doCall(method, *args, **kwargs) File
>"/usr/lib/python2.7/site-packages/up2date_client/rpcServer.py",
>line 214, in doCall
> ret = method(*args, **kwargs)
> File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
> return self.__send(self.__name, args) File
>"/usr/lib/python2.7/site-packages/up2date_client/rpcServer.py",
>line 48, in _request1
> ret = self._request(methodname, params) File
>"/usr/lib/python2.7/site-packages/rhn/rpclib.py", line 394, in _request
> self._handler, request, verbose=self._verbose) File
>"/usr/lib/python2.7/site-packages/rhn/transports.py", line 177, in
>request
> headers, fd = req.send_http(host, handler) File
>"/usr/lib/python2.7/site-packages/rhn/transports.py", line 733, in
>send_http self._connection.request(self.method, handler,
>body=bstr(self.data),
>headers=self.headers)
> File "/usr/lib64/python2.7/httplib.py", line 1017, in request
> self._send_request(method, url, body, headers)
> File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
> self.endheaders(body)
> File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
> self._send_output(message_body)
> File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
> self.send(msg)
> File "/usr/lib64/python2.7/httplib.py", line 840, in send
> self.sock.sendall(data)
> File "/usr/lib/python2.7/site-packages/rhn/SSL.py", line 264, in write
> sent = self._connection.send(data)
><class 'up2date_client.up2dateErrors.SSLCertificateVerifyFailedError'>:
>The SSL certificate failed verification.
--
sent from my mobile device
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
More information about the Spacewalk-list
mailing list