Re: [Spacewalk-list] osad not working with Spacewalk proxy server
On Thu, Feb 16, 2012 at 6:47 PM, Jeremy Davis jdavis4...@gmail.com wrote: Yes, that is the correct cert. You also need to make sure you download that cert to the client and change the /etc/sysconfig/rhn/osad.conf to point to that downloaded cert from the proxy server. Ok, so here are the troubleshooting steps I've taken. * Stop the proxy services * Moved /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT to RHN-ORG-TRUSTED-SSL-CERT.backup * Re-ran configure-proxy.sh using the following answers file (names changed to protect the innocent): VERSION=1.6 RHN_PARENT=spacewalk02.company.com TRACEBACK_EMAIL=adm...@company.com USE_SSL=Y CA_CHAIN=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT HTTP_PROXY= SSL_ORG=Some obscure gaming company SSL_ORGUNIT=spacewalkproxy01.dc.company.com SSL_COMMON=spacewalkproxy01.dc.company.com SSL_CITY=Austin SSL_STATE=Texas SSL_COUNTRY=US SSL_EMAIL=adm...@company.com INSTALL_MONITORING=n POPULATE_CONFIG_CHANNEL=n A brand-spanking new cert was created in /var/www/html/pub, but the OU and CN in the certificate are for RHN_PARENT, or spacewalk02.company.com which is the main app server. Should this be spacewalkproxy01.dc.company.com instead? My theory is that the ssl cert may be failing because it has the wrong name in it... ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] osad not working with Spacewalk proxy server
Yes the CN needs to be that of the proxy server that is listed in /etc/sysconfig/rhn/up2date file. This Cert should be at location http://spacewalkproxy01.dc.company.com/pub/RHN-ORG-TRUSTED-SSL-CERT On 02/17/2012 09:18 AM, Sean Carolan wrote: On Thu, Feb 16, 2012 at 6:47 PM, Jeremy Davisjdavis4...@gmail.com wrote: Yes, that is the correct cert. You also need to make sure you download that cert to the client and change the /etc/sysconfig/rhn/osad.conf to point to that downloaded cert from the proxy server. Ok, so here are the troubleshooting steps I've taken. * Stop the proxy services * Moved /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT to RHN-ORG-TRUSTED-SSL-CERT.backup * Re-ran configure-proxy.sh using the following answers file (names changed to protect the innocent): VERSION=1.6 RHN_PARENT=spacewalk02.company.com TRACEBACK_EMAIL=adm...@company.com USE_SSL=Y CA_CHAIN=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT HTTP_PROXY= SSL_ORG=Some obscure gaming company SSL_ORGUNIT=spacewalkproxy01.dc.company.com SSL_COMMON=spacewalkproxy01.dc.company.com SSL_CITY=Austin SSL_STATE=Texas SSL_COUNTRY=US SSL_EMAIL=adm...@company.com INSTALL_MONITORING=n POPULATE_CONFIG_CHANNEL=n A brand-spanking new cert was created in /var/www/html/pub, but the OU and CN in the certificate are for RHN_PARENT, or spacewalk02.company.com which is the main app server. Should this be spacewalkproxy01.dc.company.com instead? My theory is that the ssl cert may be failing because it has the wrong name in it... ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list -- Thank you, Jeremy Davis, GCIH ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] osad not working with Spacewalk proxy server
So I wonder why the certificate is being generated with the wrong name? It contains the name of the upstream Spacewalk server, instead of it's own hostname. Is there something wrong with the data in my answers file? Incidentally I noticed that jabber seems to use a different SSL certificate; in /etc/jabber/c2s.xml the pemfile is listed as /etc/jabberd/server.pem, which is a symlink: [root@spacewalkproxy01 log]# ls -l /etc/jabberd/server.pem lrwxrwxrwx 1 root root 37 Feb 17 16:08 /etc/jabberd/server.pem - /etc/pki/spacewalk/jabberd/server.pem Should I be doing anything with this pem file? Which one is OSAD using for SSL? On Fri, Feb 17, 2012 at 1:17 PM, Jeremy Davis jdavis4...@gmail.com wrote: Yes the CN needs to be that of the proxy server that is listed in /etc/sysconfig/rhn/up2date file. This Cert should be at location http://spacewalkproxy01.dc.company.com/pub/RHN-ORG-TRUSTED-SSL-CERT On 02/17/2012 09:18 AM, Sean Carolan wrote: On Thu, Feb 16, 2012 at 6:47 PM, Jeremy Davisjdavis4...@gmail.com wrote: Yes, that is the correct cert. You also need to make sure you download that cert to the client and change the /etc/sysconfig/rhn/osad.conf to point to that downloaded cert from the proxy server. Ok, so here are the troubleshooting steps I've taken. * Stop the proxy services * Moved /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT to RHN-ORG-TRUSTED-SSL-CERT.backup * Re-ran configure-proxy.sh using the following answers file (names changed to protect the innocent): VERSION=1.6 RHN_PARENT=spacewalk02.company.com TRACEBACK_EMAIL=adm...@company.com USE_SSL=Y CA_CHAIN=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT HTTP_PROXY= SSL_ORG=Some obscure gaming company SSL_ORGUNIT=spacewalkproxy01.dc.company.com SSL_COMMON=spacewalkproxy01.dc.company.com SSL_CITY=Austin SSL_STATE=Texas SSL_COUNTRY=US SSL_EMAIL=adm...@company.com INSTALL_MONITORING=n POPULATE_CONFIG_CHANNEL=n A brand-spanking new cert was created in /var/www/html/pub, but the OU and CN in the certificate are for RHN_PARENT, or spacewalk02.company.com which is the main app server. Should this be spacewalkproxy01.dc.company.com instead? My theory is that the ssl cert may be failing because it has the wrong name in it... ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list -- Thank you, Jeremy Davis, GCIH ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] osad not working with Spacewalk proxy server
On Thu, Feb 16, 2012 at 4:53 PM, Jeremy Davis jdavis4...@gmail.com wrote: If a server is connecting to a Spacewalk Proxy server you will need to use the SSL Cert that was generated for that proxy server. This Cert will be in the same location as the app server but on the proxy server. How is /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT supposed to be created on the proxy machine? On most of our normal client servers, we simply use wget to pull this file so that OSAD will work. But if the proxy server is supposed to have a different cert in this location, how does it get created? Here's what happens if I try to configure the proxy without this file in place: [root@spacewalkproxy01 ~]# configure-proxy.sh RHN Parent [spacewalk02.company.com]: CA Chain [/usr/share/rhn/RHNS-CA-CERT]: /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT Error: File /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT is not readable by nobody user. Forgive me for all the noob questions; I'm still learning how all this stuff fits together. The documentation on the SSL setup is a bit thin... ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] osad not working with Spacewalk proxy server
server.pem and RHN-ORG-TRUSTED-SSL-CERT are two different things. server.pem is for jabberd. the CN in server.pem should be your spacewalk proxy's fqdn. RHN-ORG-TRUSTED-SSL-CERT should be identical to your non-proxied clients' (at least it is in our environment). Double check that the id/id fields in /etc/jabberd/c2s.xml match the CN in the server.pem. You can check the CN in server.pem by running openssl x509 -text /etc/jabberd/server.pem On 2012-02-17 2:48 PM, Sean Carolan scaro...@gmail.com wrote: On Thu, Feb 16, 2012 at 4:53 PM, Jeremy Davis jdavis4...@gmail.com wrote: If a server is connecting to a Spacewalk Proxy server you will need to use the SSL Cert that was generated for that proxy server. This Cert will be in the same location as the app server but on the proxy server. How is /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT supposed to be created on the proxy machine? On most of our normal client servers, we simply use wget to pull this file so that OSAD will work. But if the proxy server is supposed to have a different cert in this location, how does it get created? Here's what happens if I try to configure the proxy without this file in place: [root@spacewalkproxy01 ~]# configure-proxy.sh RHN Parent [spacewalk02.company.com]: CA Chain [/usr/share/rhn/RHNS-CA-CERT]: /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT Error: File /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT is not readable by nobody user. Forgive me for all the noob questions; I'm still learning how all this stuff fits together. The documentation on the SSL setup is a bit thin... ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] osad not working with Spacewalk proxy server
On Fri, Feb 17, 2012 at 2:11 PM, Wojtak, Greg (Superfly) gregwoj...@quickenloans.com wrote: server.pem and RHN-ORG-TRUSTED-SSL-CERT are two different things. server.pem is for jabberd. the CN in server.pem should be your spacewalk proxy's fqdn. RHN-ORG-TRUSTED-SSL-CERT should be identical to your non-proxied clients' (at least it is in our environment). Double check that the id/id fields in /etc/jabberd/c2s.xml match the CN in the server.pem. You can check the CN in server.pem by running openssl x509 -text /etc/jabberd/server.pem w00t - I got it working! The fix in case anyone runs into something similar: 1. Stop the rhn-proxy services 2. Wipe clean the contents of /root/ssl-build on the proxy server 3. Remove all spacewalk-proxy* packages from the system 4. Delete /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT on the proxy server if it still exists 5. Reinstall the proxy server: yum install spacewalk-proxy-installer 6. Run configure-proxy.sh. It will fail the first time asking you to scp your cert, key and config file over like so: scp 'r...@spacewalk02.company.com:/root/ssl-build/{RHN-ORG-PRIVATE-SSL-KEY,RHN-ORG-TRUSTED-SSL-CERT,rhn-ca-openssl.cnf}' /root/ssl-build 7. Run configure-proxy.sh again, this time it will complete and ask you for your SSL passphrase. Once this completes successfully it should work! 8. Test a client by registering it with the proxy, and then starting up osad. It should start showing up with Online as of $DATE in the GUI. I believe #6 and #7 is where I was failing the first few tries. There were multiple certs in the /root/ssl-build directory, and I had forgotten the ssl cert passphrase. Fortunately I managed to get rid of the unnecessary certs, and dig up the passphrase for the real certificate. Thanks Greg and Jeremy for the helpful suggestions. ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
[Spacewalk-list] osad not working with Spacewalk proxy server
Maybe one of you have already solved this in the past. We have a master Spacewalk server which is working just fine. All clients are able to contact the jabber server and receive push updates, etc. Our proxy server is registered with the master server and is also working ok for the most part. New clients can register and they are showing up in the GUI. So far so good. The problem we're having is that none of the clients who are pointed at the proxy server can use osad. When we try to start osad on these machines we get this error: Traceback caught: Traceback (most recent call last): File /usr/share/rhn/osad/jabber_lib.py, line 610, in connect ssl.do_handshake() Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')] [FAILED] I've googled, scoured through the documentation, and tried fiddling with various settings but nothing seems to work. The dates on all three machines (master, proxy, and client) are all set correctly, and all using GMT. Is the proxy server supposed to have a different ssl cert for jabber communication? ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list