Description of problem: Registering a client server via bootstrap.sh to a Satellite 5.4.1 or 5.5.0 server fails because of an SSL certificate validation error. The problem is on line 195 of bootstrap.sh. The rpm command is used to fetch the Satellite Certificate Authority RPM file. The rpm command uses curl to fetch the file and by default curl verifies the SSL certificate, but because the client server does not already have the Satellite Certificate Authority installed, the file download will fail because of a SSL certificate validation error. Using the rpm command bypasses the logic done on lines 115 - 135 to prevent this problem. Version-Release number of selected component (if applicable): (Satellite 5.4.1) spacewalk-certs-tools.noarch 1.7.3-3.el6sat (Satellite 5.5.0) spacewalk-certs-tools.noarch 1.7.3-4.el6sat How reproducible: Always. Steps to Reproduce: 1. On the Satellite server, generate a new bootstrap.sh by executing "rhn-bootstrap" as root. Make the necessary changes to the new bootstrap.sh in /var/www/html/pub/bootstrap: Comment out "exit 1", and set ACTIVATION_KEYS=. 2. On the client server, wget the new bootstrap.sh: wget http://satellite.foo.net/pub/bootstrap/bootstrap.sh 3. On the client server, execute the bootstrap.sh Actual results: UPDATING RHN_REGISTER/UP2DATE CONFIGURATION FILES ------------------------------------------------- * downloading necessary files client_config_update.py... client-config-overrides.txt... * running the update scripts . up2date config file * /etc/sysconfig/rhn/up2date written * attempting to install corporate public CA cert Retrieving https://satellite.foo.net/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. error: skipping https://satellite.foo.net/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm - transfer failed REGISTRATION ------------ * registering An error has occurred: ERROR: can not find RHNS CA file: /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT See /var/log/up2date for more information *** Error: Registering the system failed. Expected results: UPDATING RHN_REGISTER/UP2DATE CONFIGURATION FILES ------------------------------------------------- * downloading necessary files client_config_update.py... client-config-overrides.txt... * running the update scripts . up2date config file * attempting to install corporate public CA cert Preparing... ########################################### [100%] 1:rhn-org-trusted-ssl-cer########################################### [100%] REGISTRATION ------------ * registering *** this system should now be registered, please verify *** Additional info: The following patch fixes this problem: --- bootstrap.sh 2013-02-19 18:42:38.270585609 -0600 +++ bootstrap.sh 2013-02-19 18:43:52.117534716 -0600 @@ -192,7 +192,8 @@ echo echo "* attempting to install corporate public CA cert" if [ $ORG_CA_CERT_IS_RPM_YN -eq 1 ] ; then - rpm -Uvh --force --replacefiles --replacepkgs ${HTTPS_PUB_DIRECTORY}/${ORG_CA_CERT} + $FETCH ${HTTPS_PUB_DIRECTORY}/${ORG_CA_CERT} + rpm -Uvh --force --replacefiles --replacepkgs ${ORG_CA_CERT} else rm -f ${ORG_CA_CERT} $FETCH ${HTTPS_PUB_DIRECTORY}/${ORG_CA_CERT}
The issue has been fixed in Spacewalk 1.8 (spacewalk-certs-tools-1.8.4-1) via commit ba3433047a3760b753e76982d427d46fbaf8b5bf download CA cert via http fixing chicken-or-egg problem when download of CA cert fails because server cert can't be validated without CA cert
Hello all, Do we have an ETA about the final fix for this? It is completely reproducible with spacewalk-certs-tools-1.7.3-4.el6sat.noarch. Apparently the workaround is edit the bootstrap and change USING_SSL from 1 to 0. Thanks.
Satellite 5.6 has been released. This bug was tracked under the release. This bug was either VERIFIED or RELEASE_PENDING (re-verified prior shortly before release). Moving to CLOSED CURRENT_RELEASE. Text from Upgrade Erratum follows: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1395.html