Robert, Thank you very much for this test.
When I run the test with --cacert and --capath, the certificate works just fine. However, it fails when I run the test without --cacert and --capath. * About to connect() to <FQDN SW Server> port 443 (#0) * Trying 10.255.2.7... connected * Connected to <FQDN SW Server> (IP Address) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection #0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html You said that if it works the first time, but fails the second time, then something went wrong with c_rehash. How do I troubleshoot c_rehash? Thank you. Daryl ________________________________________ From: spacewalk-list-boun...@redhat.com <spacewalk-list-boun...@redhat.com> on behalf of Robert Paschedag <robert.pasche...@web.de> Sent: Wednesday, September 9, 2015 11:25 AM To: spacewalk-list@redhat.com Subject: Re: [Spacewalk-list] How to use a signed certificate? Hi Daryl, looks good. But try the following. Put a testfile on the spacewalk "pub" folder...normally "/srv/www/html/pub" Then try to manually grab the file with "curl", only using "your" CA file curl -vvv -1 --cacert /etc/ssl/certs/RHN... --capath none https://<yourserver>/pub/<testfile> If this works, try same without setting "--cacert and --capath". If this does NOT work, something went wrong running "c_rehash". If both do NOT work, then maybe the apache server is not "deploying" the complete certificate chain. Look for "apache"s "SSLCertificateChainFile" in /etc/http/conf.d/ssl.conf Regards, Robert Am 09.09.2015 um 15:12 schrieb Daryl Rose: > Avi, > > Here are the steps for registering SLES from the Spacewalk documentation: > > https://fedorahosted.org/spacewalk/wiki/RegisteringClients#SUSE > > However, the steps are not completely accurate for SLES 11 SP3. A few > changes need to be made. > > 1. Changes to the spacewalk-tools URL. > zypper ar -f > http://download.opensuse.org/repositories/systemsmanagement:/spacewalk:/2.3/SLE_11_SP3/ > spacewalk-tools > > 2. Step two applies to SLES 12, not to SLES 11. (I learned about that from > this forum). These are the modified steps: > a. wget http://corp-spwalk-prod01.dtn.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O > /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT > b. cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT > /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem > c. c_rehash /etc/ssl/certs/ > > After running the c_rehash, I get the following: > > lrwxrwxrwx 1 root root 28 Sep 9 08:05 dcfb5746.0 -> > RHN-ORG-TRUSTED-SSL-CERT.pem > > I'm assuming that this is what I should see. > > These are the same steps that I used in my testing. Is there something wrong > with the cert? > > Thanks > > Daryl > > ________________________________________ > From: spacewalk-list-boun...@redhat.com <spacewalk-list-boun...@redhat.com> > on behalf of Avi Miller <avi.mil...@oracle.com> > Sent: Tuesday, September 8, 2015 3:39 PM > To: spacewalk-list@redhat.com > Subject: Re: [Spacewalk-list] How to use a signed certificate? > > Hey Daryl, > >> On 9 Sep 2015, at 6:06 am, Daryl Rose <darylr...@outlook.com> wrote: >> >> I decided to move my SW environment into production, so I stood up a brand >> new SW server and redid the signed certificate according to your >> documentation. Everything works fine with the RHEL servers that I've >> attached, but I'm having certificate issues with SLES. > > I don't think we ever tested this with SLES/OpenSUSE as that's not covered > under standard Oracle support. I've not even looked into how you register a > SLES system to Spacewalk, so I can't comment on how that process would need > to be updated for a 3rd-party certificate. > > However, this seems like a verification issue, so I would double-check that > you're using the correct CA certificate (RHN-ORG-TRUSTED-SSL-CERT) and that > it has the entire CA chain contained. Otherwise, the client would not be able > to verify the certificate provided by the server. > > Can you point me towards the appropriate documentation that outlines the SLES > registration process to Spacewalk so I can review? > > Thanks, > Avi > > -- > Oracle <http://www.oracle.com> > Avi Miller | Product Management Director | +61 (3) 8616 3496 > Oracle Linux and Virtualization > 417 St Kilda Road, Melbourne, Victoria 3004 Australia > > > _______________________________________________ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > https://www.redhat.com/mailman/listinfo/spacewalk-list > > _______________________________________________ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > https://www.redhat.com/mailman/listinfo/spacewalk-list > _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list