Hi Robert, Thanks for contacting. I've configured a static entry in /etc/hosts and test it but unfortunately the spacecmd result is the same. Oddly this URL (https://<dev_spacewalk>.local/rpc/api) works directly with a web browser (only http: certificate invalid)
Best regards, Jérôme Meyer -----Original Message----- From: Robert Paschedag [mailto:robert.pasche...@web.de] Sent: Dienstag, 8. Mai 2018 20:28 To: spacewalk-list@redhat.com; Jérôme Meyer; 'spacewalk-list@redhat.com' Subject: Re: [Spacewalk-list] Certificat problem by client installation Am 8. Mai 2018 20:18:41 MESZ schrieb Robert Paschedag <robert.pasche...@web.de>: >Am 8. Mai 2018 19:00:53 MESZ schrieb "Jérôme Meyer" ><jerome.me...@lcsystems.ch>: >>Dear All, >> >>Because our customer has some issue with his prod_spacewalk server to >>create new system, we decided to clone it has dev_system to do some >>test and troubleshooting this problem. >>Clone and configuration to dev_spacewalk was successfully done. >> >>Version: >>================================== >>dev_spacewalk : CentOS 7.4.1708 >>spacewalk ver.: 2.4 >> >>Steps >>================================== >>1) server successfully cloned >>2) Change hostname in configuration's file >>3) run the script with the new IP ADD : >>/usr/bin/spacewalk-hostname-rename <ip> >>3.1) a new SSL certificate was created >>3.2) a private AC key was generated: >> Generating private CA key: >/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY >>4) Configuring jabber to use PostgreSQL backend because some issue. >>5) Successfully start the service: >> >>Error >>================================== >> >>Now, we've created a new dev_server and after the installation, we >>received some issue from kickstart logs: >> >>ERROR: Failed to connect to https://<dev_spacewalk>.local/rpc/api >> >>I've done an another test from this new machine: >> >><dev_server># spacecmd -s <dev_spacewalk> -u admin -p $(echo passwd | >>openssl enc -aes-128-cbc -a -d -salt -pass pass:XXXX) --debug >>DEBUG: : False >>DEBUG: Read configuration from /root/.spacecmd/config >>DEBUG: Loading configuration section [spacecmd] >>DEBUG: Current Configuration: {'username': 'admin', 'password': >>'***********', 'server': 'dev_spacewalk'} Welcome to spacecmd, a >>command-line interface to Spacewalk. >> >>Type: 'help' for a list of commands >> 'help <cmd>' for command-specific help >> 'quit' to quit >> >>DEBUG: Configuration section [dev_spacewalk] does not exist >>DEBUG: Connecting to https://dev_spacewalk/rpc/api >>ERROR: <class 'ssl.SSLError'> >>Traceback (most recent call last): >>File "/usr/lib/python2.7/site-packages/spacecmd/misc.py", line 284, in >>do_login >> self.api_version = self.client.api.getVersion() >> File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__ >> return self.__send(self.__name, args) >> File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request >> verbose=self.__verbose >> File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request >> return self.single_request(host, handler, request_body, verbose) >>File "/usr/lib64/python2.7/xmlrpclib.py", line 1301, in >single_request >> self.send_content(h, request_body) >> File "/usr/lib64/python2.7/xmlrpclib.py", line 1448, in send_content >> connection.endheaders(request_body) >> File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders >> self._send_output(message_body) >> File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output >> self.send(msg) >> File "/usr/lib64/python2.7/httplib.py", line 826, in send >> self.connect() >> File "/usr/lib64/python2.7/httplib.py", line 1236, in connect >> server_hostname=sni_hostname) >> File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket >> _context=self) >> File "/usr/lib64/python2.7/ssl.py", line 611, in __init__ >> self.do_handshake() >> File "/usr/lib64/python2.7/ssl.py", line 833, in do_handshake >> self._sslobj.do_handshake() >>SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed >>(_ssl.c:579) >>ERROR: Failed to connect to https://<dev_spacewalk>/rpc/api >> >>Questions >>================================== >> >>1) How can I check if certificates are ok? >>2) Is a certificat's problem or spacewalk? Any Idea how I can >>debugging? >>3) Our customer are using a selfsigned certificat, so I don't think >>that is a CA certificat problem? >>4) All certificats saw ok but this file not. I don't really know how >it >>will be created: >> >><dev_server># cat /tmp/ssl-key-1 >>Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 13876969005773671483 (0xc094e5c9943ecc3b) >> Signature Algorithm: sha1WithRSAEncryption >>Issuer: C=CH, ST=XXXXX, L=XXXX, O=XXXX, OU=XX, >>CN=<prod_spacewalk>.local > >Your cert is created for "prod_spacewalk.local" but you are connecting >to a totally different name ("dev_spacewalk" (without .local)) and >expect it to verify... > >How should this work????? > > >Even if you are using the correct name to connect.... Does your new >"client" "trust" the SW CA? > >Normally... the SW clients use the RHN-TRUSTED-SSL-CERT file that is >stored in /usr/share/rhn as CA store to "verify" the connection (tools >like "rhn_check") > >Robert To quickly test from the new client.... Modify its /etc/hosts file and set a static entry for "prod_spacewalk.local" and set its IP to the IP of "dev_spacewalk". In case you're trusting SWs CA cert, SSL should work. Robert > > > > >> Validity >> Not Before: Nov 4 10:50:35 2015 GMT >> Not After : Oct 29 10:50:35 2036 GMT >>Subject: C=XX, ST=XXXXX, L=XXXX, O=XXXX, OU=XX, >>CN=<prod_spacewalk>.local >> Subject Public Key Info: >> ... >>-----END CERTIFICATE----- >> >> >>Thank you for your help in advance, >> >>Best regard, >> >>Jérôme Meyer >>System Engineer >>________________________________ >>[cid:image005.jpg@01D3E6FE.E34FDD20]<http://www.lcsystems.ch/> >>LC Systems-Engineering AG >> >> >> >>Tel.: >> >>+41 58 360 89 00 >> >>Reinacherstrasse 129 >> >> >> >>Fax: >> >>+41 58 360 89 01 >> >>4053 Basel >> >> >> >>Direkt: >> >>+41 58 360 89 14 >> >> >> >> >> >> >> >> >> >>www.lcsystems.ch >> >> >> >>Mobile: >> >>+41 76 438 33 84 >> >> >> >> >>Email: >> >>jerome.me...@lcsystems.ch >> >> >>[cid:image006.jpg@01D3E6FE.E34FDD20]<http://www.lcsystems.ch/events> >>________________________________ >>Diese Nachricht ist ausschliesslich für den bezeichneten Adressaten >>oder dessen Vertreter bestimmt. Beachten Sie bitte, dass jede Form der >>unautorisierten Nutzung, Veröffentlichung, Vervielfältigung oder >>Weitergabe des Inhaltes der Email nicht gestattet ist. Sollten Sie >>nicht der vorgesehene Adressat dieser Email oder dessen Vertreter >sein, >>so bitten wir Sie, sich mit dem Absender der Email in Verbindung zu >>setzen und anschliessend diese Email und sämtliche Anhänge zu löschen. >>________________________________ >>This message is exclusively for the person addressed or their >>representative. Any form of the unauthorized use, publication, >>reproduction, copying or disclosure of the content of this e-mail is >>not permitted. If you are not the intended recipient of this message >>and its contents, please notify this sender immediately and delete >this >>message and all its attachments subsequently. > > >-- >sent from my mobile device > >_______________________________________________ >Spacewalk-list mailing list >Spacewalk-list@redhat.com >https://www.redhat.com/mailman/listinfo/spacewalk-list -- sent from my mobile device
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list