Sam,
That resolved my issue. Once I blew away the ssl-build directory, I was able to successfully run the configure-proxy.sh script and then I was able to successfully register a server that was in the dmz. Thank you for your assistance. Daryl ________________________________ From: [email protected] <[email protected]> on behalf of Sam Sen <[email protected]> Sent: Thursday, May 5, 2016 12:50 PM To: [email protected] Subject: Re: [Spacewalk-list] [EXT] Issues with proxy and certificates Nice. I came across a few RH pages but I couldn’t read them because we don’t have an RHN account. Let me know if that fixed it for you. I don’t recall the exact issues I was facing but —force-own-ca definitely helped. On May 5, 2016, at 1:26 PM, Daryl Rose <[email protected]<mailto:[email protected]>> wrote: I finally found on the Red Hat site a resolution. You have to have a RHN account to read the entire posting. https://access.redhat.com/solutions/60004 <https://access.redhat.com/solutions/60004>Basically, in order to use the --force-own-ca, I had to remove the ./ssl-build directory: Resolution * Make sure that you are passing the correct CA password. * While using --force-own-ca option for installing RHN proxy, the /root/ssl-build directory should not be present. Every time that I ran the configure-proxy.sh script, it was looking for the ssl-build directory and using whatever I had in that directory. I removed the directory, and the script ran with no issues. Now to see if the certificate works. Daryl ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Daryl Rose <[email protected]<mailto:[email protected]>> Sent: Thursday, May 5, 2016 10:19 AM To: [email protected]<mailto:[email protected]> Subject: Re: [Spacewalk-list] [EXT] Issues with proxy and certificates Sam, Unfortunately, this did not resolve my issue. I still get the exact same error: ERROR: can't find a file that should have been created during an earlier step: /root/ssl-build/rhn-ca-openssl.cnf I tried the --force-own-ca option on the command line, as well as "FORCE_OWN_CA" in an answers file. Any other suggestions? Thank you. Daryl ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Sam Sen <[email protected]<mailto:[email protected]>> Sent: Thursday, May 5, 2016 9:20 AM To: [email protected]<mailto:[email protected]> Subject: Re: [Spacewalk-list] [EXT] Issues with proxy and certificates Yeah I never understood why you would need to sign the CA against the parent server. I spent days trying to get it to work but luckily I found the thread I pasted in the previous email. It’s been working real well so I’m assuming all is well. On May 5, 2016, at 10:16 AM, Daryl Rose <[email protected]<mailto:[email protected]>> wrote: Sam, I saw that option in the help, but didn't understand what it meant. I'll give that a try. Thank you very much for the reply and the help. Daryl ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Sam Sen <[email protected]<mailto:[email protected]>> Sent: Thursday, May 5, 2016 8:15 AM To: [email protected]<mailto:[email protected]> Subject: Re: [Spacewalk-list] [EXT] Issues with proxy and certificates I ran into a similar issue. I ended up using the “—force-own-ca” flag. https://www.redhat.com/archives/spacewalk-list/2011-December/msg00147.html On May 5, 2016, at 8:53 AM, Daryl Rose <[email protected]<mailto:[email protected]>> wrote: I am trying to stand up a proxy server. However, I am having issues with the certificate. I am using a CA signed certificate on the primary SW server. Proxy installation prompts me copy over three certificate items from the primary SW server. [root@ ssl-build]# configure-proxy.sh Using RHN parent (from /etc/sysconfig/rhn/up2date): <spacewalk server> Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT Please do copy your CA key and public certificate from <spacewalk server> to /root/ssl-build directory. You may want to execute this command: scp 'root@<spacewalk server>:/root/ssl-build/{RHN-ORG-PRIVATE-SSL-KEY,RHN-ORG-TRUSTED-SSL-CERT,rhn-ca-openssl.cnf}' /root/ssl-build I have RHN-ORG-PRIVATE-SSL-KEY and RHN-ORG-TRUSTED-SSL-CERT, but I don't have a rhn-ca-openssl.cnf file. If I try to install without that file I get the following error: ERROR: can't find a file that should have been created during an earlier step: /root/ssl-build/rhn-ca-openssl.cnf So, I tried creating one using the rhn-ssl-tool command: rhn-ssl-tool --gen-ca --password=MY_CA_PASSWORD --dir="/root/ssl-build" \ --set-state="North Carolina" --set-city="Raleigh" --set-org="Example Inc." \ --set-org-unit="SSL CA Unit" However, this did not work. I get the following error: ERROR: web server's SSL certificate generation/signing failed: Using configuration from /root/ssl-build/rhn-ca-openssl.cnf CA certificate and CA private key do not match 139757325297480:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331: Any way to get around this error? Can I create the rhn-ca-openssl.cnf file from the existing cert? Thank you. Daryl _______________________________________________ Spacewalk-list mailing list [email protected]<mailto:[email protected]> https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list [email protected]<mailto:[email protected]> https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list [email protected]<mailto:[email protected]> https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
