I ran dos2unix. I got the cert in pem format from the get go.......it just had the cert, private key, and chain all in a single file.
All the verifications came out as expected, including your example one. Wednesday 07 June 2017 18:36:34 Wilkinson, Matthew wrote: > Couple other things: I had to run dos2unix on my root certs to remove > windows carriage returns. I also had to use openssl to convert my root cert > chain to pem format. Then I just cat that into > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT > > Then the key point of verifying was: > > # openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT > /root/ssl-build/<hostname>/server.crt > > Should come back as: > > /root/ssl-build/<hostname>/server.crt: OK > > --Matthew Wilkinson > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Eric Sent: > Wednesday, June 07, 2017 13:21 > To: [email protected] > Subject: Re: [Spacewalk-list] More Spacewalk 26 Certificate > Problems....can't get 3rd party cert to work with osa-dispatcher and jabber > > [This is an external email. Be cautious with links, attachments and > responses.] > > ********************************************************************** > Thanks for the reply. > > So, my question then is.........in the Redhat doc is has you do the jabber > server.pem, but those directions specifically have you cat the key pair > into one file.........by doing that the server.pem file will never match > (md5sum) the server.pem file in the ssl-build directory....which the > trouble shooting guids says it must. > > My other question is........just how does Spacewalk expect the certs? If I > download the default, I get the cert, the private key, and the root chain > in one single .pem file. The docs all assume that you have just a cert > file and a concatenated CA chain file. I have pulled the actual > certificate portion out of the single file (without the private key and > without the root chain and saved it as server.crt in the ssl-build > directory. > > I have pulled all the CA certs out and saved them as the > RHN-ORG-TRUSTED-SSL- CERT file. > > I have not done anything with the private key file portion, as there is > nothing in the docs regarding that. > > Am I doing something wrong with this? All the checks and validations show > ok, and the web UI works just fine, with the web page showing the expected > cert when I look at the security options. > > The ssl builds all work, the rpm's are created, everything deployes ok, I've > copied it to clients......every single thing works........except osa- > dispatcher. > > I just cannot wrap my mind about this: > > Redhat install directions: > > # cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem # cat > /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem # cp > /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem > > Redhat knowledge base article troubleshooting my EXACT error message > (https://access.redhat.com/solutions/24937): > > # md5sum /root/ssl-build/<hostname>/server.pem > # md5sum /etc/pki/spacewalk/jabberd/server.pem /etc/jabberd/server.pem > > If you follow the install directions, those server.pem files will never have > a matching md5sum. > On Wednesday 07 June 2017 17:46:06 Wilkinson, Matthew wrote: > > You DO have to build a new server.pem and put it in place for Jabber. > > > > --Matthew Wilkinson > > > > > > -----Original Message----- > > From: Wilkinson, Matthew > > Sent: Wednesday, June 07, 2017 12:45 > > To: [email protected] > > Subject: RE: [Spacewalk-list] More Spacewalk 26 Certificate > > Problems....can't get 3rd party cert to work with osa-dispatcher and > > jabber > > > > I did this recently on my SW 2.6 server. You should follow Red Hat's > > documentation on using signed SSL certs. Don't use Oracle's documentation. > > > > I used these two website and figured out how to get it working. Once you > > get the server SSL working you have to redistribute the spacewalk cert to > > all of the clients. > > > > https://access.redhat.com/solutions/10809 > > > > https://access.redhat.com/solutions/15753 > > > > > > > > --Matthew Wilkinson > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Eric Sent: > > Wednesday, June 07, 2017 11:59 > > To: [email protected] > > Subject: [Spacewalk-list] More Spacewalk 26 Certificate Problems....can't > > get 3rd party cert to work with osa-dispatcher and jabber > > > > [This is an external email. Be cautious with links, attachments and > > responses.] > > > > ********************************************************************** > > I've really beat myself into the ground with this for 3 days now and am > > stumped. > > > > Situation: I've been running two Spacewalk servers for a while now, > > brought them from 2.4 to 2.6. > > > > I've just built a new one to move everything to, running 2.6. Vanilla > > build, tested and working, bootstrapped clients, pushed configurations, > > osad and osa- dispatcher running fine. This is a clean 2.6 install, not > > an > > upgrade. > > > > Company policy recently changed and no more self-signed certs allowed. > > > > Got my new certs. There are multiple conflicting documents on doing this. > > Like serious discrepancies. Some have you replace/change the jabber > > server.pem files, and some don't address it at all. > > > > I primarily used these two docs to perform the install (I could not find a > > 2.6 specific doc): > > > > Oracle doc for 2.2 > > https://docs.oracle.com/cd/E37670_01/E64575/html/swk22-replace-cert.html > > > > Redhat Doc (Dated April 2017, for Satellite 5.4 and later -> should cover > > 2.6 > > > > https://access.redhat.com/solutions/15753 > > > > > > The Oracle doc and most of the other docs do not address the server.pem > > file for Jabber at all, just has you clear the jabber db and restart. > > > > The Redhat doc says this: > > > > # cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem # cat > > /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem # cp > > /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem > > > > > > > > So now that we have the background....I'm getting a TLS error on start up: > > > > Starting osa-dispatcher: Spacewalk 14899 2017/06/07 09:37:27 -07:00: > > ('Server does not support TLS - <starttls /> not in <features /> stanza',) > > > > Searching this list, and googling leads me to this Red Hat document: > > > > https://access.redhat.com/solutions/24937 > > > > > > Now, that document clearly says that the MD5sums for all of the jabber > > server.pem files should match........but if you follow the directions in > > the Redhat guide for setting it up...they cannot match. I've tried it > > both > > ways.....same error. > > > > I've gone through all the other troubleshooting, the CN matches FQDN and > > all that. > > > > > > Everything but osa-dispatcher seems to work, the Web UI, I can boostrap > > clients, I can run a remote command.....but because osad on the clients > > can't connect, I have to run "rhn_check" to get it to pick up the jobs. > > > > I really hope somebody has some suggestions here. > > > > Also, when I pick up my certificate, I have the following download > > options.....the cert, the cert WITH private key, the cert WITH CA Chain, > > or > > the cert WITH private key and CA Chain. > > > > Now, I took the last, and split them all up into seperate files...the crt, > > key, and root chain so my install could match the directions... Excepting > > dealing with Jabber, most of the docs are pretty similar. Nothing in any > > docs anywhere addresses what I do with the private key. > > > > I have cleaned up the server, and reinstalled 2.6 to a pristine state 4 or > > 5 times now and tried various different variations, all with the same > > result. > > > > I know I'm doing something wrong and I'm sure it's regarding the jabber > > pem > > files, but I can NOT figure it out. > > > > _______________________________________________ > > Spacewalk-list mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/spacewalk-list > > > > _______________________________________________ > > Spacewalk-list mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/spacewalk-list > > _______________________________________________ > Spacewalk-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/spacewalk-list > > _______________________________________________ > Spacewalk-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
