Am 2. November 2017 09:40:02 MEZ schrieb Robert Paschedag <robert.pasche...@web.de>: >Am 2. November 2017 08:47:00 MEZ schrieb "Vipul Sharma (DevOps)" ><sharma.vi...@in.g4s.com>: >>Hi, >> >>I imported the new keyfile downloaded from Red-Hat - >> >> >> >>*gpg: key FD431D51: public key "Red Hat, Inc. (release key 2) >><secur...@redhat.com <secur...@redhat.com>>" importedgpg: Total number >>processed: 1gpg: imported: 1 (RSA: 1)* >> >> >>But, If we run gpg --list-keys - It shows me 2 different versions of >>that, >>What's that about, Any ideas? >> >> >> >> >> >>*pub 1024D/F24F1B08 2002-04-23 [expired: 2004-04-22]uid >>Red Hat, Inc (Red Hat Network) <rhn-feedb...@redhat.com >><rhn-feedb...@redhat.com>>pub 4096R/FD431D51 >>2009-10-22uid Red Hat, Inc. (release key 2) >><secur...@redhat.com <secur...@redhat.com>>* >> >> >> >>Also, I checked ca-bundle.crt, I found no chain for Red-Hat over there >>- >> >>Thanks >>Vipul >> >>On Thu, Nov 2, 2017 at 12:58 PM, Robert Paschedag >><robert.pasche...@web.de> >>wrote: >> >>> Am 2. November 2017 08:24:10 MEZ schrieb "Vipul Sharma (DevOps)" < >>> sharma.vi...@in.g4s.com>: >>> >I have tested 2 different URL'S - >>> > >>> >*This one was was from your article -* >>> > >>> >curl -v https://cdn.redhat.com/content/dist/rhel/server/7/ >>> >7Server/x86_64/os/repodata/repomd.xml >>> >* About to connect() to cdn.redhat.com port 443 (#0) >>> >* Trying 2.16.30.83... >>> >* Connected to cdn.redhat.com (2.16.30.83) port 443 (#0) >>> >* Initializing NSS with certpath: sql:/etc/pki/nssdb >>> >* CAfile: /etc/pki/tls/certs/ca-bundle.crt >>> > CApath: none >>> >* Server certificate: >>> >* subject: CN=cdn.redhat.com,OU=Red Hat Network,O=Red >>> >Hat,L=Raleigh,ST=North Carolina,C=US >>> >* start date: May 14 19:48:02 2014 GMT >>> >* expire date: May 11 19:48:02 2024 GMT >>> >* common name: cdn.redhat.com >>> >* issuer: E=ca-supp...@redhat.com,CN=Red Hat Entitlement >>> >Operations >>> >Authority,OU=Red Hat Network,O="Red Hat, Inc.",ST=North >>Carolina,C=US >>> >* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)* >>> >* Peer's certificate issuer has been marked as not trusted by the >>user. >>> >* Closing connection 0 >>> >curl: (60) Peer's certificate issuer has been marked as not trusted >>by >>> >the >>> >user. >>> > >>> >----------------------------------------------------------- >>> > >>> >*This is from Google-Cloud - Pretty much the same result -* >>> > >>> >curl -v https://cds.rhel.updates.googlecloud.com/pulp/mirror/ >>> >>>content/dist/rhel/rhui/server/7/7Server/x86_64/os/repodata/repomd.xml >>> >* About to connect() to cds.rhel.updates.googlecloud.com port 443 >>(#0) >>> >* Trying 23.236.57.179... >>> >* Connected to cds.rhel.updates.googlecloud.com (23.236.57.179) >port >>> >443 >>> >(#0) >>> >* Initializing NSS with certpath: sql:/etc/pki/nssdb >>> >* CAfile: /etc/pki/tls/certs/ca-bundle.crt >>> > CApath: none >>> >* Server certificate: >>> >* subject: >>> >>>CN=cds.rhel.updates.googlecloud.com,OU=SomeOrgUnit,O=SomeOrg,ST=North >>> >Carolina,C=US >>> >* start date: Sep 23 05:18:30 2017 GMT >>> >* expire date: Sep 25 05:18:30 2037 GMT >>> >* common name: cds.rhel.updates.googlecloud.com >>> >* issuer: CN=RHUI Certificate >>> >Authority,OU=SomeOrgUnit,O=SomeOrg,L=Raleigh,ST=North >>> >Carolina,C=US >>> >* *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)* >>> >* Peer's certificate issuer has been marked as not trusted by the >>user. >>> >* Closing connection 0 >>> >curl: (60) Peer's certificate issuer has been marked as not trusted >>by >>> >the >>> >user. >>> > >>> >Thanks >>> > >>> >On Thu, Nov 2, 2017 at 12:36 PM, Robert Paschedag >>> ><robert.pasche...@web.de> >>> >wrote: >>> > >>> >> Am 2. November 2017 07:29:16 MEZ schrieb "Vipul Sharma (DevOps)" >< >>> >> sharma.vi...@in.g4s.com>: >>> >> >In spacewalk, I had to manually create this file -->* >>> >> >file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release*, & then >>> >copy/pasted >>> >> >the >>> >> >KEY from RHEL server to this location in Spacewalk server. >>> >> > >>> >> >Some Doubts :- >>> >> > >>> >> >Do this requires importing this file ?? >>> >> > >>> >> >I'm running spacewalk without CA certified certificate, Does >that >>> >> >impact >>> >> >the overall config for RHEL Repo in Spacewalk. >>> >> > >>> >> >Thanks >>> >> >Vipul >>> >> > >>> >> >On Thu, Nov 2, 2017 at 11:49 AM, Robert Paschedag >>> >> ><robert.pasche...@web.de> >>> >> >wrote: >>> >> > >>> >> >> Am 2. November 2017 05:13:12 MEZ schrieb "Vipul Sharma >>(DevOps)" < >>> >> >> sharma.vi...@in.g4s.com>: >>> >> >> >Hi Michael, >>> >> >> > >>> >> >> >We are using registered system through 'Google-Cloud' - I >have >>> >> >copied >>> >> >> >everything very carefully from RHEL.repo into spacewalk, >>> >Including >>> >> >all >>> >> >> >the >>> >> >> >.cert & .pem files. >>> >> >> > >>> >> >> >Just unable to figure out what's wrong with it for the time >>being >>> >- >>> >> >> > >>> >> >> >Thanks >>> >> >> > >>> >> >> >On Wed, Nov 1, 2017 at 5:36 PM, Michael Mraka >>> >> >> ><michael.mr...@redhat.com> >>> >> >> >wrote: >>> >> >> > >>> >> >> >> Vipul Sharma (DevOps): >>> >> >> >> > Hi Robert, >>> >> >> >> > >>> >> >> >> > I need your 'HELP' - I went according to your >>configuration >>> >for >>> >> >> >> downloading >>> >> >> >> > RHEL repos into 'Spacewalk' - But, I'm facing some >issues >>> >while >>> >> >> >doing >>> >> >> >> > that, Can you be humble enough to take a look into my >>issue >>> >-- >>> >> >> >> > >>> >> >> >> > *This is the error -* >>> >> >> >> > >>> >> >> >> > 10:01:26 | Channel: rhel-base >>> >> >> >> > 10:01:26 ====================================== >>> >> >> >> > 10:01:26 Sync of channel started. >>> >> >> >> > 10:01:26 Repo URL: >>> >> >> >> > >>> >> >>>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os >>> >> >> >> > 10:01:27 ERROR: failure: repodata/repomd.xml from >>> >> >> >> > content_dist_rhel_server_7_7Server_x86_64_os: [Errno 256] >>No >>> >> >more >>> >> >> >> mirrors >>> >> >> >> > to try. >>> >> >> >> > *https://cdn.redhat.com/content/dist/rhel/server/7/ >>> >> >> >> 7Server/x86_64/os/repodata/repomd.xml >>> >> >> >> > <https://cdn.redhat.com/content/dist/rhel/server/7/ >>> >> >> >> 7Server/x86_64/os/repodata/repomd.xml>: >>> >> >> >> > [Errno 14] curl#60 - "Peer's certificate issuer has been >>> >marked >>> >> >as >>> >> >> >not >>> >> >> >> > trusted by the user."* >>> >> >> >> > 10:01:27 Sync of channel completed in 0:00:00. >>> >> >> >> > 10:01:27 Total time: 0:00:00 >>> >> >> >> > >>> >> >> >> > --------------------------------------------- >>> >> >> >> > >>> >> >> >> > My Spacewalk server is running unauthorized CA-CERT, Is >>this >>> >> >> >because of >>> >> >> >> > that ? >>> >> >> >> >>> >> >> >> You need a proper Red Hat Subscription to be able to >>download >>> >Red >>> >> >Hat >>> >> >> >> content from CDN. >>> >> >> >> >>> >> >> >> Regards, >>> >> >> >> >>> >> >> >> -- >>> >> >> >> Michael Mráka >>> >> >> >> System Management Engineering, Red Hat >>> >> >> >> >>> >> >> >> _______________________________________________ >>> >> >> >> Spacewalk-list mailing list >>> >> >> >> Spacewalk-list@redhat.com >>> >> >> >> https://www.redhat.com/mailman/listinfo/spacewalk-list >>> >> >> >>> >> >> For me, this sounds as one of the "signing" CA of RedHat's >>servers >>> >is >>> >> >not >>> >> >> trusted by "you". >>> >> >> >>> >> >> Robert >>> >> >> >>> >> >>> >> Please try to curl the URL. >>> >> >>> >> curl -vv -1 https://.... >>> >> >>> >> See the same error? >>> >> >>> >> Robert >>> >> >>> >>> You have to get the "issuer" certs from RedHat (download from web?) >>and >>> add it to your trusted CA store >>> Robert >>> > >Not the gpg key is the problem right now.... The SSL chain cannot be >built and verified. > >You have to get that fixed first. > >Robert > >_______________________________________________ >Spacewalk-list mailing list >Spacewalk-list@redhat.com >https://www.redhat.com/mailman/listinfo/spacewalk-list
Maybe this helps https://access.redhat.com/solutions/189533 https://de.ssl-tools.net/subjects/477571e8e2bee6b9c91352413ac776ab13d1957b Robert _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list