Bug 689939

Summary: Osad not working with wildcard certificates
Product: [Community] Spacewalk Reporter: Trent Johnson <rhbugzilla>
Component: ServerAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.3CC: jpazdziora, weiweihu74
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: osad-5.10.23-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-22 16:47:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 723481    

Description Trent Johnson 2011-03-22 20:08:47 UTC 
Description of problem:

When using a wildcard certificate purchased from a CA, osad and osa-dispatcher fail to verify the certificate and instead give a "Mismatch: peer name: error

Version-Release number of selected component (if applicable):
spacewalk 1.3 both client and server packages
The problem exists in /usr/share/rhn/osad/jabber_lib.py

How reproducible:

Install a wildcard certificate into spacewalk.  I used the instructions here for installing the certificate:

http://unfuckablelinux.com/2008/07/02/spacewalk-and-avoiding-self-signed-certificates/

Steps to Reproduce:
1. Install wildcard cert
2. Start osa-dispatcher
3.
  
Actual results:
Starting osa-dispatcher: /usr/lib/python2.6/site-packages/jabber/jabber.py:68: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
  import sha, time
RHN 10088 2011/03/12 15:01:59 -05:00: ('Traceback caught:',)
RHN 10088 2011/03/12 15:01:59 -05:00: ('Traceback (most recent call last):\n  File "/usr/share/rhn/osad/jabber_lib.py", line 611, in connect\n    self.verify_peer(ssl)\n  File "/usr/share/rhn/osad/jabber_lib.py", line 692, in verify_peer\n (self._host, common_name))\nSSLVerifyError: Mismatch: peer name: spacesl6.oreillyschool.com; common name: *.oreillyschool.com.\n',) 

Expected results:
osa-dispatcher should start without errors

Additional info:
The check in jabber_lib.py should be fixed to match the commom name against wildcards.
Comment 1 Weiwei Hu 2011-06-05 00:21:58 UTC 
Work around:

I commend out line 690 to line 692 to disable the common_name verification. And then osa-dispatcher starts without errors.
Comment 2 Jan Pazdziora (Red Hat) 2011-07-20 11:49:19 UTC 
Aligning under space16.
Comment 3 Jan Pazdziora (Red Hat) 2011-09-30 12:29:00 UTC 
Fixed in Spacewalk master, 3801ed7115cc0a5c8573d643173389b4790bb419.
Comment 4 Milan Zázrivec 2011-12-22 16:47:11 UTC 
Spacewalk 1.6 has been released.