Bug 1237219 - spacewalk-clone-by-date: ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]
Summary: spacewalk-clone-by-date: ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 2.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Dobes
QA Contact: Pavel Studeník
URL:
Whiteboard:
Depends On:
Blocks: space24
TreeView+ depends on / blocked
 
Reported: 2015-06-30 14:40 UTC by Pavel Studeník
Modified: 2015-10-08 13:26 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-10-08 13:26:47 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1238675 0 unspecified CLOSED spacewalk-create-channel: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 2021-02-22 00:41:40 UTC

Internal Links: 1238675

Description Pavel Studeník 2015-06-30 14:40:56 UTC 
Description of problem:
spacewalk-clone-by-date doesn't work with self-signed certificate.

Version-Release number of selected component (if applicable):
spacewalk-utils-2.4.5-1.fc22.noarch

How reproducible:
always

Steps to Reproduce:
1. use default self-signed certificate

Actual results:
# spacewalk-clone-by-date --assumeyes --channel=custom_chann_rhn_push_tue30jun2015_15_53_37_27695 clone-custom_chann_rhn_push_tue30jun2015_15_53_37_27695 --channel=child_custom_chann_rhn_push_tue30jun2015_15_53_37_27695 clone-child_custom_chann_rhn_push_tue30jun2015_15_53_37_27695 --username <name> --password <pass> --to_date=2030-03-06 

Traceback (most recent call last):
  File "/usr/bin/spacewalk-clone-by-date", line 419, in <module>
    sys.exit(abs(main() or 0))
  File "/usr/bin/spacewalk-clone-by-date", line 409, in main
    return cloneByDate.main(args)
  File "/usr/share/rhn/utils/cloneByDate.py", line 123, in main
    xmlrpc = RemoteApi(options.server, options.username, options.password)
  File "/usr/share/rhn/utils/cloneByDate.py", line 800, in __init__
    self.__login()
  File "/usr/share/rhn/utils/cloneByDate.py", line 813, in __login
    self.auth_token = self.client.auth.login(self.username, self.password)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1240, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1599, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1280, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1308, in single_request
    self.send_content(h, request_body)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1456, in send_content
    connection.endheaders(request_body)
  File "/usr/lib64/python2.7/httplib.py", line 1049, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 893, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 855, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1274, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 352, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 579, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 808, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Expected results:
without error and it works correct
Comment 1 Pavel Studeník 2015-08-04 09:06:54 UTC 
Hi, I found solution how to import SSL CA to system. We need to fix it for installer and command spacewalk-hostname-rename. But command update-ca-trust looks as rather good. Documentation says:

"update-ca-trust - manage consolidated and dynamic configuration of CA certificates and associated trust"

>> cd /etc/pki/ca-trust/source/anchors
>> wget http://localhost/pub/RHN-ORG-TRUSTED-SSL-CERT
>> update-ca-trust extract
Comment 2 Jan Dobes 2015-08-07 12:29:00 UTC 
Fixed using method from comment #1

Public CA certificate is added to trusted store:

ed4af4735556bb604e96c186d349e313a50090f4

Hostname change trigger new CA certificate creation:

afabe65bfb15057c59ae6ccb95aaf9194e2bef04

On client machines when public cert RPM is installed, certificate is also added to trusted store:

bf161d661d44ebc2973a1fa616ae29fb1d631486
62a4600fa02362093dc4b95f9bcbf904143acc9a
4c4ed19177ab116b5e857ff0759bb1d93a31fe3d

In applications using https where is explicitly used 'localhost' as default value, change it to hostname:

ee4e42e304bb90082512778be8b68c6795954bea
Comment 3 Pavel Studeník 2015-08-14 10:28:26 UTC 
Verified with packages:
* spacewalk-utils-2.4.14-1.fc22.noarch 
* spacewalk-postgresql-2.4.2-1.fc22.noarch

$ spacewalk-clone-by-date --config=clone.conf --channel=chann_1_clone_by_date_thu13aug2015_17_30_24_9671 clone-chann_1_clone_by_date_thu13aug2015_17_30_24_9671
...
Comment 4 Jan Dobes 2015-10-08 13:26:47 UTC 
Spacewalk 2.4 has been released.
Note You need to log in before you can comment on or make changes to this bug.