PDA

View Full Version : SSL Cert not installed correctly anymore on SuMa clients



bylokk
11-Jan-2019, 11:04
We've got an RPM with Suse Manager SSL Certificate "rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm"
This rpm contains one file named "/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CER".

The latest bootstrap script does not install this certficate correctly anymore.

What is missing ? This:


ln -s /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT.pem
update-ca-certificates

Inside the Bootstrap Script I can see this comment:
# symlink & update certificates is already done in rpm post-install script
# no need to be done again if we have installed rpm

But this is not true for us. The rpm has no rpm post-install script.
Maybe because it was created in 2016 with an older version os SuMa?

How can I recreate the rpm with post-install script ?

mcalmer
12-Jan-2019, 14:09
I think you are on the right way. The ways to configure a CA certificate on different OSes and OS versions got more and more complex over the years.
If you want to generate a new RPM with current post script call these commands:



$> rhn-ssl-tool --gen-ca --rpm-only --dir="/root/ssl-build"
$> /usr/bin/rhn-deploy-ca-cert.pl --source-dir /root/ssl-build \
--target-dir /srv/www/htdocs/pub/ --trust-dir=/etc/pki/trust/anchors/

bylokk
14-Jan-2019, 12:14
I think you are on the right way. The ways to configure a CA certificate on different OSes and OS versions got more and more complex over the years.
If you want to generate a new RPM with current post script call these commands:



$> rhn-ssl-tool --gen-ca --rpm-only --dir="/root/ssl-build"
$> /usr/bin/rhn-deploy-ca-cert.pl --source-dir /root/ssl-build \
--target-dir /srv/www/htdocs/pub/ --trust-dir=/etc/pki/trust/anchors/


Thank you very much. That worked perfectly. :)
The first command just created the rpm with existing Certificate and nothing else - that's exactly what I wanted.