[Spacewalk-list] Registration to the new server via rhnreg_ks returns an SSL error
P.Cookson at bham.ac.uk
P.Cookson at bham.ac.uk
Fri Mar 1 11:10:14 UTC 2019
You're only showing the top of the files there. Is the rest of the information the same too, particularly the server name and actual key? All the responses from "spacewalk-setup" should be in there really.
Regards
Phil
-----Original Message-----
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> On Behalf Of rui.a.zhou at nokia-sbell.com
Sent: 01 March 2019 11:02
To: spacewalk-list at redhat.com; robert.paschedag at web.de
Cc: Zhu, Ting (NSB - CN/Shanghai) <ting.zhu at nokia-sbell.com>
Subject: Re: [Spacewalk-list] Registration to the new server via rhnreg_ks returns an SSL error
Very sad to say, they are the same, I think if the file in hosts has some impacts? I find I have not write the configuration before. I will try and tell the result later.
[root at spacewalk-server pxelinux.cfg]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
135.251.206.139 spacewalk-server
Client:
[root at FNSHA172 yum.repos.d]# cat /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:88:95:56:dd:6c:6d:0d
Server:
[root at spacewalk-server ~]# cat /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:88:95:56:dd:6c:6d:0d
-----Original Message-----
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of P.Cookson at bham.ac.uk
Sent: 2019年3月1日 17:09
To: robert.paschedag at web.de; spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Registration to the new server via rhnreg_ks returns an SSL error
Whether you re-installed the Spacewalk application on the same server or a different one, a new certificate should have been produced after running "spacewalk-setup."
Subsequently, the certificate can be viewed on the server:
cat /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
OR
WebUI -> Systems (Top Menu) -> Kickstart (Left Menu) -> GPG and SSL Keys -> RHN-ORG-TRUSTED-SSL-CERT -> Key contents
If everything has been done correctly, to register the client, the certificate can be viewed on there too:
cat /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
If they don't match, you'll have a problem!
Like Robert says, it seems to be "just" a SSL issue really but, obviously, the certificate is being generated by the Spacewalk application installation.
Regards
Phil
-----Original Message-----
From: robert.paschedag at web.de <robert.paschedag at web.de>
Sent: 28 February 2019 16:47
To: spacewalk-list at redhat.com; Philip Cookson (IT Services) <P.Cookson at bham.ac.uk>; spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Registration to the new server via rhnreg_ks returns an SSL error
Am 28. Februar 2019 11:10:57 MEZ schrieb "P.Cookson at bham.ac.uk" <P.Cookson at bham.ac.uk>:
>Obviously, that will work but you won’t be using the secure layer or
>addressing the underlying problem!
>
>If you’re getting the same problem with a new client system I can see
>how you may think it’s a server related issue. However, the Spacewalk
>certificate is generated during installation so it would be un-usual, I
>would have thought?
>
>Did you add the certificate to the database (certutil -d
>sql:/etc/pki/nssdb -An RHN-ORG-TRUSTED-SSL-CERT -t C,, -ai
>/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT), too, as you only mention
>getting the rpm (rpm -Uvh
>http://spacewalk-server/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm)?
>
>Regards
>Phil
>
>From: spacewalk-list-bounces at redhat.com
><spacewalk-list-bounces at redhat.com> On Behalf Of
>rui.a.zhou at nokia-sbell.com
>Sent: 28 February 2019 09:51
>To: spacewalk-list at redhat.com
>Cc: Zhu, Ting (NSB - CN/Shanghai) <ting.zhu at nokia-sbell.com>
>Subject: Re: [Spacewalk-list] Registration to the new server via
>rhnreg_ks returns an SSL error
>
>
>I think this may not the problem of the client, when I try to add new
>client server it also has the error: The SSL certificate failed
>verification.
>I find this help, change the
>--serverUrl=https://spacewalk-server/XMLRPC to
>--serverUrl=http://spacewalk-server/XMLRPC. The system can be
>registerd, The reason maybe:
>
>* System did not have the correct SSL certificate.(I check, server
>and client have the same sslCACert)
> * SSL certificate was corrupted.(how to explain this?)
This is just a standard SSL issue. Nothing special with spacewalk.
If you're connecting to https://spacewalk-server/, "spacewalk-server" has to be included within the SSL certificate. And if that is missing, the certificate may be valid but you still get the verification error .
Robert
>
>
>From:
>spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.
>com> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of
>P.Cookson at bham.ac.uk<mailto:P.Cookson at bham.ac.uk>
>Sent: 2019年2月28日 17:35
>To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
>Subject: Re: [Spacewalk-list] Registration to the new server via
>rhnreg_ks returns an SSL error
>
>Hi
>
>It’s a little more involved than that! I produced these notes, for
>myself, when un-registering a system from a Dev Spacewalk Server and
>registering it with a Test Spacewalk Server. It’s effectively the same
>thing that you need to do though.
>
>
>Spacewalk does not provide an option to un-register a client system
>(similar to registering - “rhnreg_ks”) - the only option is to remove
>the client system’s profile from the Spacewalk server.
>
>To remove a client’s profile from the Spacewalk server perform these
>steps:
>
>
> 1. Log in to the Spacewalk Console.
>2. Click on the Systems tab in the top navigation bar and then click
>on the name of the system which you want to remove from the Systems
>List.
> 3. Click the Delete System link in the top-right corner of the page.
>4. Confirm system profile deletion by clicking the Delete Profile
>button.
>5. Now go to the client system and execute below command to remove the
>associated System ID file:
>
> # rm /etc/sysconfig/rhn/systemid
>
>In addition, remove Spacewalk certificate for Development and add
>certificate for Test. Then register client system with Test Spacewalk
>server:
>
># certutil -d sql:/etc/pki/nssdb -Dn RHN-ORG-TRUSTED-SSL-CERT -t C,,
>-ai /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
># rpm -ev rhn-org-trusted-ssl-cert-1.0-1.noarch
># rpm -Uvh https://<Test<https://%3cTest>
>Server>/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
># certutil -d sql:/etc/pki/nssdb -An RHN-ORG-TRUSTED-SSL-CERT -t C,,
>-ai /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
># rhnreg_ks --serverUrl=https://<Test Server>/XMLRPC
>--sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>--activationkey=[ACTIVATION KEY]
>
>
>Note, if you’re using OSAD, the service may have stopped during this
>process and therefore, will need to be re-started. I’ve also found
>that, even if it’s still running, I’ve had to restart it before actions
>were automatically picked up again:
>
> # systemctl start osad OR service osad start
>
>
>Hope this is of help?
>
>Regards
>Phil
>
>From:
>spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.
>com>
><spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat
>.com>>
>On Behalf Of
>rui.a.zhou at nokia-sbell.com<mailto:rui.a.zhou at nokia-sbell.com>
>Sent: 28 February 2019 08:57
>To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
>Cc: Zhu, Ting (NSB - CN/Shanghai)
><ting.zhu at nokia-sbell.com<mailto:ting.zhu at nokia-sbell.com>>
>Subject: [Spacewalk-list] Registration to the new server via rhnreg_ks
>returns an SSL error
>
>I re-installed the spacewalk server, and the client can not register to
>the new installed server.
>
>[root at FNSHB109 rhn]# rpm -e rhn-org-trusted-ssl-cert-1.0-1.noarch
>
>[root at FNSHB109 rhn]# rpm -Uvh
>http://spacewalk-server/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
>Retrieving
>http://spacewalk-server/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
>Preparing... #################################
>[100%]
>Updating / installing...
>1:rhn-org-trusted-ssl-cert-1.0-1 #################################
>[100%]
>
>[root at FNSHB109 rhn]# rhnreg_ks
>--serverUrl=https://spacewalk-server/XMLRPC
>--sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>--activationkey=1-centos7.6 --force --verbose
>D: rpcServer: Calling XMLRPC registration.welcome_message An error has
>occurred:
>The SSL certificate failed verification.
>See /var/log/up2date for more information
>
>[root at FNSHB109 rhn]# cat /etc/sysconfig/rhn/up2date |grep share
>sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>
>[Thu Feb 28 16:53:34 2019] up2date D: rpcServer: Calling XMLRPC
>registration.welcome_message [Thu Feb 28 16:53:34 2019] up2date
>Traceback (most recent call last):
> File "/usr/sbin/rhnreg_ks", line 215, in <module>
> cli.run()
>File "/usr/lib/python2.7/site-packages/up2date_client/rhncli.py", line
>94, in run
> sys.exit(self.main() or 0)
> File "/usr/sbin/rhnreg_ks", line 93, in main
> rhnreg.getCaps()
>File "/usr/lib/python2.7/site-packages/up2date_client/rhnreg.py", line
>264, in getCaps
> s.capabilities.validate()
>File "/usr/lib/python2.7/site-packages/up2date_client/rhnserver.py",
>line 185, in __get_capabilities
> self.registration.welcome_message()
>File "/usr/lib/python2.7/site-packages/up2date_client/rhnserver.py",
>line 84, in __call__
> raise_with_tb(up2dateErrors.SSLCertificateVerifyFailedError())
>File "/usr/lib/python2.7/site-packages/up2date_client/rhnserver.py",
>line 67, in __call__
> return rpcServer.doCall(method, *args, **kwargs) File
>"/usr/lib/python2.7/site-packages/up2date_client/rpcServer.py",
>line 214, in doCall
> ret = method(*args, **kwargs)
> File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
> return self.__send(self.__name, args) File
>"/usr/lib/python2.7/site-packages/up2date_client/rpcServer.py",
>line 48, in _request1
> ret = self._request(methodname, params) File
>"/usr/lib/python2.7/site-packages/rhn/rpclib.py", line 394, in _request
> self._handler, request, verbose=self._verbose) File
>"/usr/lib/python2.7/site-packages/rhn/transports.py", line 177, in
>request
> headers, fd = req.send_http(host, handler) File
>"/usr/lib/python2.7/site-packages/rhn/transports.py", line 733, in
>send_http self._connection.request(self.method, handler,
>body=bstr(self.data),
>headers=self.headers)
> File "/usr/lib64/python2.7/httplib.py", line 1017, in request
> self._send_request(method, url, body, headers)
> File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
> self.endheaders(body)
> File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
> self._send_output(message_body)
> File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
> self.send(msg)
> File "/usr/lib64/python2.7/httplib.py", line 840, in send
> self.sock.sendall(data)
> File "/usr/lib/python2.7/site-packages/rhn/SSL.py", line 264, in write
> sent = self._connection.send(data)
><class 'up2date_client.up2dateErrors.SSLCertificateVerifyFailedError'>:
>The SSL certificate failed verification.
--
sent from my mobile device
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
More information about the Spacewalk-list
mailing list