[Spacewalk-list] [BULK]Re: [BULK]Re: [BULK][EXT] Re: Regenerating Trusted Cert

Weiner, Michael weinerm at ccf.org
Sun Sep 29 17:56:58 UTC 2019 

​I apologize but i meant to mention, the CA file has an incorrect CN in it, that i believe is the issue.

________________________________
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Robert Paschedag <robert.paschedag at web.de>
Sent: Saturday, September 28, 2019 12:15 PM
To: spacewalk-list at redhat.com
Subject: [BULK]Re: [Spacewalk-list] [BULK]Re: [BULK][EXT] Re: Regenerating Trusted Cert

This sounds strange to me. Am I right, that these 53 clients are the only clients? And that these are *not* registered to Spacewalk? It never worked?

The RHN-ORG-TRUSTED-SSL-CERT *IS* the CA file and if that did not change, nothing has to be done.

Change the cert on the server (with the fixed name) and restart the SW services.

Make sure that all services are running correctly and also make sure on a client (with curl), that TLS connection to SW from one of your clients is working correctly (you might need to set the "cafile" option in curl (see manpage)). Should look something like

"curl -v --cafile /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT https://<Fqdn>"

You should not get an TLS error !

If this works, check the fqdn on all clients within /etc/sysconfig/rhn/up2date and fix it if broken and just try to re-register the clients with

"rhnreg_ks --force --activationkey=<your_key> --serverUrl=https://<fqdn>/XMLRPC"

If the registration works, but you have problems with your repo tool (yum, dnf, zypper, apt), you might need to regenerate the central SSL CA keystore (see manpage for "c_rehash" or "update-ca-certificates")

Good luck.

Robert


⁣sent from my mobile device​


-------- Originale Nachricht --------
Von: "Weiner, Michael" <weinerm at ccf.org>
Gesendet: Sat Sep 28 17:44:25 GMT+02:00 2019
An: "spacewalk-list at redhat.com" <spacewalk-list at redhat.com>
Betreff: Re: [Spacewalk-list] [BULK]Re: [BULK][EXT] Re: Regenerating Trusted Cert

Thank you for your response, Robert. You are correct, the setup created an SSL cert with an incorrect FQDN (the CN is incorrect in the cert) which is now out on about 53 clients who now can not update from spacewalk because of that. And yes, i would like to fix the cert and push it to the 53 clients. The certificate was generated and signed on the same server using the same CA, i get the fact that i dont need to redistribute the CA files, but the RHN-TRUSTED-SSL-CERT file is incorrect., i am not sure how that will work correctly.


________________________________
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Robert Paschedag <robert.paschedag at web.de>
Sent: Friday, September 27, 2019 2:23 PM
To: spacewalk-list at redhat.com
Subject: [BULK]Re: [Spacewalk-list] [BULK][EXT] Re: Regenerating Trusted Cert

If I understand it right, the name of your server within your certificate was wrong and all the clients are running with the wrong fqdn name. Right?

So you know want to fix this and created a new certificate with the Fqdn fixed. Right?

Has this certificate been generated (and signed) by the same CA? Then you don't have to redistribute the CA file and don't need to change the RHN-TRUSTED-SSL-CERT file.

The best thing would be, if you created the new certificate with both FQDN names... The wrong old (current) and the new fixed one (as SAN certificate.)

All that should be needed then is to put the new certificate in place on the server (within Apache and jabber (xml files) configuration) and set the old FQDN name as ServerAlias within Apache.

With this configuration in place, it should work that all clients (old and new) can connect to Spacewalk without getting certificate errors.

The new clients should use the new name and you can later fix the name on all old clients within /etc/sysconfig/rhn/up2date and restart "rhnsd" and/or "osad" (maybe also within osad configuration file).

EDIT:

Hmm... Even if that all works, I think you would have problems with "osad". I think a temporary configuration of jabber (for 2 server names) would be too complicated.

So if you don't mind to lose osad connectivity on the old clients, I would try that.

Backup all your configuration files or - when running virtually - create a snapshot before you start.

Robert


⁣sent from my mobile device​


-------- Originale Nachricht --------
Von: "Weiner, Michael" <weinerm at ccf.org>
Gesendet: Fri Sep 27 19:20:49 GMT+02:00 2019
An: "spacewalk-list at redhat.com" <spacewalk-list at redhat.com>
Betreff: Re: [Spacewalk-list] [BULK][EXT] Re: Regenerating Trusted Cert

Thank you for your response, Dean. I didnt do the let's encrypt cert, will that be a problem?

________________________________
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Peirce, Dean <Dean.Peirce at cengage.com>
Sent: Friday, September 27, 2019 12:02 PM
To: spacewalk-list at redhat.com
Subject: [BULK][EXT] Re: [Spacewalk-list] Regenerating Trusted Cert

Hi Michael,
I followed the instructions in the link below, when I had to change my cert. I had to work around a couple of the steps, since we use a static ssl certificate, and not a Let's Encrypt cert.

Hope this helps.

https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/<https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/><https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/<https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/>><https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/<https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/><https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/<https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/>>>


-Dean

On Sep 27, 2019, at 11:38 AM, Weiner, Michael <weinerm at ccf.org<mailto:weinerm at ccf.org>> wrote:

I have a need to regenerate and redistribute the SSL certificate for my instance of spacewalk. When i set it up originally, the FQDN was not correct so the cert is now wrong that got distributed to workstations/servers, and i need to correct it now that the FQDN is correct. I have been googling but i cant seem to find anything specific to my query. I would have assumed there was a script (like the initial install script) that can recreate the cert and RPM.

Any assistance would be greatly appreciated.
Michael

Please consider the environment before printing this e-mail
Cleveland Clinic is currently ranked as one of the nation's top hospitals by U.S. News & World Report (2019-2020). Visit us online at http://www.clevelandclinic.org<http://www.clevelandclinic.org><http://www.clevelandclinic.org<http://www.clevelandclinic.org>><http://www.clevelandclinic.org/<http://www.clevelandclinic.org/><http://www.clevelandclinic.org/<http://www.clevelandclinic.org/>>> for a complete listing of our services, staff and locations. Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you. _______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list<https://www.redhat.com/mailman/listinfo/spacewalk-list><https://www.redhat.com/mailman/listinfo/spacewalk-list<https://www.redhat.com/mailman/listinfo/spacewalk-list>><https://www.redhat.com/mailman/listinfo/spacewalk-list<https://www.redhat.com/mailman/listinfo/spacewalk-list><https://www.redhat.com/mailman/listinfo/spacewalk-list<https://www.redhat.com/mailman/listinfo/spacewalk-list>>>


Please consider the environment before printing this e-mail

Cleveland Clinic is currently ranked as the No. 2 hospital in the country by U.S. News & World Report (2017-2018). Visit us online at http://www.clevelandclinic.org<http://www.clevelandclinic.org><http://www.clevelandclinic.org<http://www.clevelandclinic.org>> for a complete listing of our services, staff and locations. Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you.


------------------------------------------------------------------------

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list<https://www.redhat.com/mailman/listinfo/spacewalk-list><https://www.redhat.com/mailman/listinfo/spacewalk-list<https://www.redhat.com/mailman/listinfo/spacewalk-list>>

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list<https://www.redhat.com/mailman/listinfo/spacewalk-list><https://www.redhat.com/mailman/listinfo/spacewalk-list<https://www.redhat.com/mailman/listinfo/spacewalk-list>>


Please consider the environment before printing this e-mail

Cleveland Clinic is currently ranked as the No. 2 hospital in the country by U.S. News & World Report (2017-2018). Visit us online at http://www.clevelandclinic.org<http://www.clevelandclinic.org> for a complete listing of our services, staff and locations. Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you.


------------------------------------------------------------------------

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list<https://www.redhat.com/mailman/listinfo/spacewalk-list>

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list<https://www.redhat.com/mailman/listinfo/spacewalk-list>


Please consider the environment before printing this e-mail

Cleveland Clinic is currently ranked as the No. 2 hospital in the country by U.S. News & World Report (2017-2018). Visit us online at http://www.clevelandclinic.org for a complete listing of our services, staff and locations. Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20190929/ce66599b/attachment.htm>

More information about the Spacewalk-list mailing list