[Spacewalk-list] Registration to the new server via rhnreg_ks returns an SSL error
Robert Paschedag
robert.paschedag at web.de
Sat Mar 2 11:38:54 UTC 2019
Am 2. März 2019 00:55:20 MEZ schrieb "Zhou, Rui A. (NSB - CN/Shanghai)" <rui.a.zhou at nokia-sbell.com>:
>My problem was resloved, I reset my login password and it work now!
I dought that a login reset fixes an SSL verification error but if you're happy now, all is good. ;-)
Robert
>
>-----Original Message-----
>From: Zhou, Rui A. (NSB - CN/Shanghai)
>Sent: 2019年3月1日 19:02
>To: spacewalk-list at redhat.com; robert.paschedag at web.de
>Cc: Zhu, Ting (NSB - CN/Shanghai) <ting.zhu at nokia-sbell.com>
>Subject: RE: [Spacewalk-list] Registration to the new server via
>rhnreg_ks returns an SSL error
>
>Very sad to say, they are the same, I think if the file in hosts has
>some impacts? I find I have not write the configuration before. I will
>try and tell the result later.
>[root at spacewalk-server pxelinux.cfg]# cat /etc/hosts
>127.0.0.1 localhost localhost.localdomain localhost4
>localhost4.localdomain4
>::1 localhost localhost.localdomain localhost6
>localhost6.localdomain6
>135.251.206.139 spacewalk-server
>
>Client:
>[root at FNSHA172 yum.repos.d]# cat
>/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 91:88:95:56:dd:6c:6d:0d
>
>Server:
>[root at spacewalk-server ~]# cat
>/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
>Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 91:88:95:56:dd:6c:6d:0d
>
>-----Original Message-----
>From: spacewalk-list-bounces at redhat.com
>[mailto:spacewalk-list-bounces at redhat.com] On Behalf Of
>P.Cookson at bham.ac.uk
>Sent: 2019年3月1日 17:09
>To: robert.paschedag at web.de; spacewalk-list at redhat.com
>Subject: Re: [Spacewalk-list] Registration to the new server via
>rhnreg_ks returns an SSL error
>
>Whether you re-installed the Spacewalk application on the same server
>or a different one, a new certificate should have been produced after
>running "spacewalk-setup."
>
>Subsequently, the certificate can be viewed on the server:
>
>cat /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
>
>OR
>
>WebUI -> Systems (Top Menu) -> Kickstart (Left Menu) -> GPG and SSL
>Keys -> RHN-ORG-TRUSTED-SSL-CERT -> Key contents
>
>If everything has been done correctly, to register the client, the
>certificate can be viewed on there too:
>
>cat /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>
>If they don't match, you'll have a problem!
>
>Like Robert says, it seems to be "just" a SSL issue really but,
>obviously, the certificate is being generated by the Spacewalk
>application installation.
>
>Regards
>Phil
>
>-----Original Message-----
>From: robert.paschedag at web.de <robert.paschedag at web.de>
>Sent: 28 February 2019 16:47
>To: spacewalk-list at redhat.com; Philip Cookson (IT Services)
><P.Cookson at bham.ac.uk>; spacewalk-list at redhat.com
>Subject: Re: [Spacewalk-list] Registration to the new server via
>rhnreg_ks returns an SSL error
>
>Am 28. Februar 2019 11:10:57 MEZ schrieb "P.Cookson at bham.ac.uk"
><P.Cookson at bham.ac.uk>:
>>Obviously, that will work but you won’t be using the secure layer or
>>addressing the underlying problem!
>>
>>If you’re getting the same problem with a new client system I can see
>>how you may think it’s a server related issue. However, the Spacewalk
>>certificate is generated during installation so it would be un-usual,
>I
>>would have thought?
>>
>>Did you add the certificate to the database (certutil -d
>>sql:/etc/pki/nssdb -An RHN-ORG-TRUSTED-SSL-CERT -t C,, -ai
>>/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT), too, as you only mention
>>getting the rpm (rpm -Uvh
>>http://spacewalk-server/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm)?
>>
>>Regards
>>Phil
>>
>>From: spacewalk-list-bounces at redhat.com
>><spacewalk-list-bounces at redhat.com> On Behalf Of
>>rui.a.zhou at nokia-sbell.com
>>Sent: 28 February 2019 09:51
>>To: spacewalk-list at redhat.com
>>Cc: Zhu, Ting (NSB - CN/Shanghai) <ting.zhu at nokia-sbell.com>
>>Subject: Re: [Spacewalk-list] Registration to the new server via
>>rhnreg_ks returns an SSL error
>>
>>
>>I think this may not the problem of the client, when I try to add new
>>client server it also has the error: The SSL certificate failed
>>verification.
>>I find this help, change the
>>--serverUrl=https://spacewalk-server/XMLRPC to
>>--serverUrl=http://spacewalk-server/XMLRPC. The system can be
>>registerd, The reason maybe:
>>
>>* System did not have the correct SSL certificate.(I check, server
>>and client have the same sslCACert)
>> * SSL certificate was corrupted.(how to explain this?)
>
>This is just a standard SSL issue. Nothing special with spacewalk.
>
>If you're connecting to https://spacewalk-server/, "spacewalk-server"
>has to be included within the SSL certificate. And if that is missing,
>the certificate may be valid but you still get the verification error .
>
>Robert
>
>>
>>
>>From:
>>spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.
>>com> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of
>>P.Cookson at bham.ac.uk<mailto:P.Cookson at bham.ac.uk>
>>Sent: 2019年2月28日 17:35
>>To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
>>Subject: Re: [Spacewalk-list] Registration to the new server via
>>rhnreg_ks returns an SSL error
>>
>>Hi
>>
>>It’s a little more involved than that! I produced these notes, for
>>myself, when un-registering a system from a Dev Spacewalk Server and
>>registering it with a Test Spacewalk Server. It’s effectively the same
>
>>thing that you need to do though.
>>
>>
>>Spacewalk does not provide an option to un-register a client system
>>(similar to registering - “rhnreg_ks”) - the only option is to remove
>>the client system’s profile from the Spacewalk server.
>>
>>To remove a client’s profile from the Spacewalk server perform these
>>steps:
>>
>>
>> 1. Log in to the Spacewalk Console.
>>2. Click on the Systems tab in the top navigation bar and then click
>>on the name of the system which you want to remove from the Systems
>>List.
>> 3. Click the Delete System link in the top-right corner of the
>page.
>>4. Confirm system profile deletion by clicking the Delete Profile
>>button.
>>5. Now go to the client system and execute below command to remove
>the
>>associated System ID file:
>>
>> # rm /etc/sysconfig/rhn/systemid
>>
>>In addition, remove Spacewalk certificate for Development and add
>>certificate for Test. Then register client system with Test Spacewalk
>>server:
>>
>># certutil -d sql:/etc/pki/nssdb -Dn RHN-ORG-TRUSTED-SSL-CERT -t C,,
>>-ai /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>># rpm -ev rhn-org-trusted-ssl-cert-1.0-1.noarch
>># rpm -Uvh https://<Test<https://%3cTest>
>>Server>/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
>># certutil -d sql:/etc/pki/nssdb -An RHN-ORG-TRUSTED-SSL-CERT -t C,,
>>-ai /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>># rhnreg_ks --serverUrl=https://<Test Server>/XMLRPC
>>--sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>>--activationkey=[ACTIVATION KEY]
>>
>>
>>Note, if you’re using OSAD, the service may have stopped during this
>>process and therefore, will need to be re-started. I’ve also found
>>that, even if it’s still running, I’ve had to restart it before
>actions
>>were automatically picked up again:
>>
>> # systemctl start osad OR service osad start
>>
>>
>>Hope this is of help?
>>
>>Regards
>>Phil
>>
>>From:
>>spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.
>>com>
>><spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat
>>.com>>
>>On Behalf Of
>>rui.a.zhou at nokia-sbell.com<mailto:rui.a.zhou at nokia-sbell.com>
>>Sent: 28 February 2019 08:57
>>To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
>>Cc: Zhu, Ting (NSB - CN/Shanghai)
>><ting.zhu at nokia-sbell.com<mailto:ting.zhu at nokia-sbell.com>>
>>Subject: [Spacewalk-list] Registration to the new server via rhnreg_ks
>
>>returns an SSL error
>>
>>I re-installed the spacewalk server, and the client can not register
>to
>>the new installed server.
>>
>>[root at FNSHB109 rhn]# rpm -e rhn-org-trusted-ssl-cert-1.0-1.noarch
>>
>>[root at FNSHB109 rhn]# rpm -Uvh
>>http://spacewalk-server/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
>>Retrieving
>>http://spacewalk-server/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
>>Preparing...
>#################################
>>[100%]
>>Updating / installing...
>>1:rhn-org-trusted-ssl-cert-1.0-1 #################################
>>[100%]
>>
>>[root at FNSHB109 rhn]# rhnreg_ks
>>--serverUrl=https://spacewalk-server/XMLRPC
>>--sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>>--activationkey=1-centos7.6 --force --verbose
>>D: rpcServer: Calling XMLRPC registration.welcome_message An error has
>>occurred:
>>The SSL certificate failed verification.
>>See /var/log/up2date for more information
>>
>>[root at FNSHB109 rhn]# cat /etc/sysconfig/rhn/up2date |grep share
>>sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
>>
>>[Thu Feb 28 16:53:34 2019] up2date D: rpcServer: Calling XMLRPC
>>registration.welcome_message [Thu Feb 28 16:53:34 2019] up2date
>>Traceback (most recent call last):
>> File "/usr/sbin/rhnreg_ks", line 215, in <module>
>> cli.run()
>>File "/usr/lib/python2.7/site-packages/up2date_client/rhncli.py", line
>
>>94, in run
>> sys.exit(self.main() or 0)
>> File "/usr/sbin/rhnreg_ks", line 93, in main
>> rhnreg.getCaps()
>>File "/usr/lib/python2.7/site-packages/up2date_client/rhnreg.py", line
>
>>264, in getCaps
>> s.capabilities.validate()
>>File "/usr/lib/python2.7/site-packages/up2date_client/rhnserver.py",
>>line 185, in __get_capabilities
>> self.registration.welcome_message()
>>File "/usr/lib/python2.7/site-packages/up2date_client/rhnserver.py",
>>line 84, in __call__
>> raise_with_tb(up2dateErrors.SSLCertificateVerifyFailedError())
>>File "/usr/lib/python2.7/site-packages/up2date_client/rhnserver.py",
>>line 67, in __call__
>> return rpcServer.doCall(method, *args, **kwargs) File
>>"/usr/lib/python2.7/site-packages/up2date_client/rpcServer.py",
>>line 214, in doCall
>> ret = method(*args, **kwargs)
>> File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
>> return self.__send(self.__name, args) File
>>"/usr/lib/python2.7/site-packages/up2date_client/rpcServer.py",
>>line 48, in _request1
>> ret = self._request(methodname, params) File
>>"/usr/lib/python2.7/site-packages/rhn/rpclib.py", line 394, in
>_request
>> self._handler, request, verbose=self._verbose) File
>>"/usr/lib/python2.7/site-packages/rhn/transports.py", line 177, in
>>request
>> headers, fd = req.send_http(host, handler) File
>>"/usr/lib/python2.7/site-packages/rhn/transports.py", line 733, in
>>send_http self._connection.request(self.method, handler,
>>body=bstr(self.data),
>>headers=self.headers)
>> File "/usr/lib64/python2.7/httplib.py", line 1017, in request
>> self._send_request(method, url, body, headers)
>> File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
>> self.endheaders(body)
>> File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
>> self._send_output(message_body)
>> File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
>> self.send(msg)
>> File "/usr/lib64/python2.7/httplib.py", line 840, in send
>> self.sock.sendall(data)
>> File "/usr/lib/python2.7/site-packages/rhn/SSL.py", line 264, in
>write
>> sent = self._connection.send(data)
>><class
>'up2date_client.up2dateErrors.SSLCertificateVerifyFailedError'>:
>>The SSL certificate failed verification.
>
>
>--
>sent from my mobile device
>
>_______________________________________________
>Spacewalk-list mailing list
>Spacewalk-list at redhat.com
>https://www.redhat.com/mailman/listinfo/spacewalk-list
--
sent from my mobile device
More information about the Spacewalk-list
mailing list