Hi Daryl, strange....
Does the RHN file contain only the certificate of the "root" CA or does it also contain some intermediate certs? If you're using a cert chain, did you set the chain file in Apache? Could you please show output of the working run? With --cafile and --capath none? Regards Robert Am 09.09.2015 20:56 schrieb Daryl Rose <[email protected]>: > > Robert, > > Thank you very much for this test. > > When I run the test with --cacert and --capath, the certificate works just > fine. However, it fails when I run the test without --cacert and --capath. > > * About to connect() to <FQDN SW Server> port 443 (#0) > * Trying 10.255.2.7... connected > * Connected to <FQDN SW Server> (IP Address) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: none > CApath: /etc/ssl/certs/ > * SSLv3, TLS handshake, Client hello (1): > * SSLv3, TLS handshake, Server hello (2): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS alert, Server hello (2): > * SSL certificate problem, verify that the CA cert is OK. Details: > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > * Closing connection #0 > curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > More details here: http://curl.haxx.se/docs/sslcerts.html > > You said that if it works the first time, but fails the second time, then > something went wrong with c_rehash. How do I troubleshoot c_rehash? > > Thank you. > > Daryl > > ________________________________________ > From: [email protected] <[email protected]> > on behalf of Robert Paschedag <[email protected]> > Sent: Wednesday, September 9, 2015 11:25 AM > To: [email protected] > Subject: Re: [Spacewalk-list] How to use a signed certificate? > > Hi Daryl, > > looks good. But try the following. > > Put a testfile on the spacewalk "pub" folder...normally "/srv/www/html/pub" > > Then try to manually grab the file with "curl", only using "your" CA file > > curl -vvv -1 --cacert /etc/ssl/certs/RHN... --capath none > https://<yourserver>/pub/<testfile> > > If this works, try same without setting "--cacert and --capath". If this > does NOT work, something went wrong running "c_rehash". > > If both do NOT work, then maybe the apache server is not "deploying" the > complete certificate chain. Look for "apache"s "SSLCertificateChainFile" > in /etc/http/conf.d/ssl.conf > > Regards, > Robert > > > Am 09.09.2015 um 15:12 schrieb Daryl Rose: > > Avi, > > > > Here are the steps for registering SLES from the Spacewalk documentation: > > > > https://fedorahosted.org/spacewalk/wiki/RegisteringClients#SUSE > > > > However, the steps are not completely accurate for SLES 11 SP3. A few > > changes need to be made. > > > > 1. Changes to the spacewalk-tools URL. > > zypper ar -f > > http://download.opensuse.org/repositories/systemsmanagement:/spacewalk:/2.3/SLE_11_SP3/ > > spacewalk-tools > > > > 2. Step two applies to SLES 12, not to SLES 11. (I learned about that > > from this forum). These are the modified steps: > > a. wget http://corp-spwalk-prod01.dtn.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O > > /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT > > b. cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT > > /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem > > c. c_rehash /etc/ssl/certs/ > > > > After running the c_rehash, I get the following: > > > > lrwxrwxrwx 1 root root 28 Sep 9 08:05 dcfb5746.0 -> > > RHN-ORG-TRUSTED-SSL-CERT.pem > > > > I'm assuming that this is what I should see. > > > > These are the same steps that I used in my testing. Is there something > > wrong with the cert? > > > > Thanks > > > > Daryl > > > > ________________________________________ > > From: [email protected] <[email protected]> > > on behalf of Avi Miller <[email protected]> > > Sent: Tuesday, September 8, 2015 3:39 PM > > To: [email protected] > > Subject: Re: [Spacewalk-list] How to use a signed certificate? > > > > Hey Daryl, > > > >> On 9 Sep 2015, at 6:06 am, Daryl Rose <[email protected]> wrote: > >> > >> I decided to move my SW environment into production, so I stood up a brand > >> new SW server and redid the signed certificate according to your > >> documentation. Everything works fine with the RHEL servers that I've > >> attached, but I'm having certificate issues with SLES. > > > > I don't think we ever tested this with SLES/OpenSUSE as that's not covered > > under standard Oracle support. I've not even looked into how you register a > > SLES system to Spacewalk, so I can't comment on how that process would need > > to be updated for a 3rd-party certificate. > > > > However, this seems like a verification issue, so I would double-check that > > you're using the correct CA certificate (RHN-ORG-TRUSTED-SSL-CERT) and that > > it has the entire CA chain contained. Otherwise, the client would not be > > able to verify the certificate provided by the server. > > > > Can you point me towards the appropriate documentation that outlines the > > SLES registration process to Spacewalk so I can review? > > > > Thanks, > > Avi > > > > -- > > Oracle <http://www.oracle.com> > > Avi Miller | Product Management Director | +61 (3) 8616 3496 > > Oracle Linux and Virtualization > > 417 St Kilda Road, Melbourne, Victoria 3004 Australia > > > > > > _______________________________________________ > > Spacewalk-list mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/spacewalk-list > > > > _______________________________________________ > > Spacewalk-list mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/spacewalk-list > > > > _______________________________________________ > Spacewalk-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
