Hello all. I finally found some instruction on how to recreate the certificate and it seems to work. I fixed the server name in the certification and I am successfully patching my SLES 11 SP 3 client.
Thank you Daryl ________________________________________ From: spacewalk-list-boun...@redhat.com <spacewalk-list-boun...@redhat.com> on behalf of Daryl Rose <darylr...@outlook.com> Sent: Friday, August 14, 2015 8:20 AM To: spacewalk-list@redhat.com Subject: Re: [Spacewalk-list] Getting SSL to work on SLES 11 I have a follow up comment. According to the Red Hat documentation, I should be able to recreate the certification using the "spacewalk-hostname-rename", but that command is not on my system. I ran an YUM list to see if I could install it, but nothing available. Is there another option to recreate the certificate? Thanks Daryl ________________________________________ From: spacewalk-list-boun...@redhat.com <spacewalk-list-boun...@redhat.com> on behalf of Daryl Rose <darylr...@outlook.com> Sent: Friday, August 14, 2015 7:55 AM To: spacewalk-list@redhat.com Subject: Re: [Spacewalk-list] Getting SSL to work on SLES 11 Sebastian, Thank you for this information, but I'm still having problems. I suspect that the issue is with the certification. The self signed certification that is created when I stand up the SW server does not contain the FQDN of the SW server. It contains just the server name. When I attempt to retrieve updates from the server, I get an errors complaining that the serverURL in the up2date file does not match the SW name in the certificate. RHEL allows me to change the serverURL to just the SW name. It doesn't' seem to care if I use FQDN or not. Whereas SLES requires FQDN in the certificate. Last week I thought that I would try and recreate the certificate on my SW server, but I'm not very knowledge with certificates, and I just made things worse. I did as for assistance on this list, but I got the certification to a point where I found it easier just to rebuild the entire SW server, which I did. I rebuilt the server, which recreated the self signed cert. But, I'm in the same position. The certification only contains the name of the SW server, not the FQDN. And again, SLES refuses to work with that cert. This time I went to my internet team and requested an authentic signed company certification (a *.domain cert). I put that in place of the SSL cert for Apache, and it works just fine. However, I tried to use it for SW authentication, but I get an error about SSL certification verification. Is it possible to use a signed certificate for SW authentication? If not, how do I go about recreating the certification so it will include the FQDN of the SW server? Thank you Daryl Rose ________________________________________ From: spacewalk-list-boun...@redhat.com <spacewalk-list-boun...@redhat.com> on behalf of Sebastian Meyer <me...@b1-systems.de> Sent: Wednesday, August 12, 2015 12:14 PM To: spacewalk-list@redhat.com Subject: Re: [Spacewalk-list] Getting SSL to work on SLES 11 Hi Daryl, On 12.08.2015 18:30, Daryl Rose wrote: > * ln -s /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT > /usr/share/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT.pem > * update-ca-certificates That step is for SLES12, not SLES11. For the latter you should use > Anyway, I found a posting on this list from February of this year. Bernd > Helber and similar problems that I'm having and Michael Calmer provided this > reply: > > > Take care that the CA certificate is copied to /etc/ssl/certs/ with the suffix > ".pem" and you run a "c_rehash /etc/ssl/certs/" > > E.g.: > $> cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT \ > /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem > $> c_rehash /etc/ssl/certs/ > As for the next error, that might be a problem with the OpenSSL 0.9.8 on the SLES Client: http://sourceforge.net/p/curl/bugs/1037/?limit=10&page=3#c9b6 > This allowed me to get past the first error that I was receiving, but now I > have a different error. I am now getting this error: > > > ?<snip>? > Download (curl) error for 'https://<FQ SW > Server>/XMLRPC/GET-REQ/sles11sp3_channel/repodata/repomd.xml?head_requests=no': > Error code: Unrecognized error > Error message: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) > > </snip> > Fully disabling SSLv3 on the Apache side might help. IIRC that's what they do on SUSE Manager. If you don't have any SLES10 or EL4 clients that should be okay. (Not sure about EL5) There should be some file containing 'SSLProtocol all -SSLv2 ...' in the apache/httpd config directory in /etc. If there's no '-SSLv3' in that line, add it after the '-SSLv2' and restart/reload apache. Best regards Sebastian -- Sebastian Meyer Linux Consultant & Trainer B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
