I have just found the issue, the firewall had a SSL Interception service running, so when downloading and comparing the certificate was fine, but the certificate implemented by the firewall was a total different.
Thanks for your help > On 27 Apr 2016, at 3:13 PM, [email protected] wrote: > > YES there needs to be a reverse DNS lookup entry for SSL certificate > validation, that is clearly stated in the RFC's for SSL and TLS. > SSL it first looks up the host then does a reverse lookup to ensure the > hostname isn't being spoofed in the DNS. > SSL certs will never validate correctly unless there is a forward and reverse > lookup record and they both match, or there is a cname for the host that > points to aa different hostname with matching forward and reverse lookup > records. > > Original Message > From: Johannes Raff > Sent: Wednesday, April 27, 2016 03:58 > To: [email protected] > Reply To: [email protected] > Subject: Re: [Spacewalk-list] Spacewalk Kickstart ISO Certificate invalid > > This kickstart is not done in a local spacewalk network but from our Lab, > which has only a NATed Internet connection and reaches the spacewalk through > the internet, so it shares the firewalls external IP with another Spacewalk > client and yes, there is no PXE possibility. > > The DHCP (no PXE) in this network should be fine, since the kickstart was > able to connect to the spacewalk and download the KS file as well as all > packages. > > For the reverse Lookup, it’s correct, there is no reverse lookup entry for > the IP, but it never existed and the kickstart from the ISO worked. Does > there has to be a reverse entry? I can’t see the IP in the certificate, only > the FQDN. The certificate has never been updated / resigned. > > Many thanks > Johannes > > > > >> On 27 Apr 2016, at 2:43 AM, [email protected] wrote: >> >> Correction >> >> Original Message >> From: [email protected] >> Sent: Tuesday, April 26, 2016 20:37 >> To: Johannes Raff; [email protected] >> Subject: Re: [Spacewalk-list] Spacewalk Kickstart ISO Certificate invalid >> >> Sounds like something changed in your network. >> If PXE/dhcp works I would compare what the DNS settings are. >> I assume that if you are booting off of a CD it's because DHCP isn't >> available or its going to a different DHCP server that doesn't offer PXE. >> I would suspect that there is a reverse lookup issue, >> Example >> Original >> Spacewalk.mycompany.com A 192.168.1.25 >> 25.1.168.192 A spacewalk.mycompany.com >> New version >> Servera25.mycompany.com A 192.168.1.25 >> 25.1.168.192 A servera2d.mycompany.com >> Spacewalk.mycompany.com Cname servera25 >> >> Assuming the local DNS has the cname in the new config should be fine, the >> original config should be fine too, but if you mix and match the foreword A >> record from the original with the reverse lookup record from the new version >> the SSL cert will not verify correctly. >> >> Original Message >> From: Johannes Raff >> Sent: Tuesday, April 26, 2016 17:59 >> To: [email protected] >> Reply To: [email protected] >> Subject: [Spacewalk-list] Spacewalk Kickstart ISO Certificate invalid >> >> Hi, >> >> we are running Spacewalk 2.4 on CentOS 6.6 with three Organisations. The >> setup has been started on version 2.0 and has always been updated. So far we >> had no problems but suddenly the kickstarting through a cobbler iso doesn’t >> work anymore. >> >> we restarted Spacewalk, executed cobbler sync and cobbler buildiso. After >> that booting from the ISO, I can select the profile and the setup starts. >> after the setup, the machine comes up but is not registered with the >> Organisation in spacewalk. After reading through the logs, I find, that the >> /var/log/up2date log shows a invalid certificate error. if I start the >> run_register manually and using https, I can not move over the connection >> information. If I use rhnreg_ks, I have the Certificate error again. >> >> If I switch to http: I can input the username and password, in the last step >> I get the error 70 though which says that the profile has no free >> allocations, which is not correct. I have verified the certificate, it is >> the right certificate (same md5) then on the server or an existing host, it >> has the correct hostname in the cert and in the kickstart file and the name >> resolution works well and it is valid. >> >> If I book a machine in the DHCP connected network, I get the profiles from >> PXE and after selecting the correct profile, the setup and registration >> works without a issue. >> >> This behaviour has appeared just recently, not straight after an upgrade of >> spacewalk. The Centos patches have been update recently. >> >> Does anyone had a similar issue like this or could someone recommend next >> steps. >> >> Many Thanks >> Johannes >> >> _______________________________________________ >> Spacewalk-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/spacewalk-list >> >> _______________________________________________ >> Spacewalk-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/spacewalk-list > > > _______________________________________________ > Spacewalk-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/spacewalk-list > > _______________________________________________ > Spacewalk-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
