PDA

View Full Version : SUSE Manager and openSUSE 42.2



jkinning
29-Mar-2017, 20:29
I am trying to get SUMA 3 to work with openSUSE 42.2. I have the repos all updated and have a client available with the 42.2 repos using Salt. When I try to update the client it fails with a generic entry. So I try to run zypper ref or zypper up on the client and get this message:
Retrieving repository 'openSUSE Leap 42.2 (x86_64)' metadata ---------------------------------------------------------------------------------------------------------------------------------[\]
Download (curl) error for 'https://<suma_server>:443/rhn/manager/download/opensuse_leap42_2-x86_64/repodata/repomd.xml?eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MjIzND Y4MTIsImlhdCI6MTQ5MDgxMDgxMiwibmJmIjoxNDkwODEwNjky LCJvcmciOjEsImp0aSI6InRDMFlGWmpQa1Q3ZUozNmZUb0dScH ciLCJvbmx5Q2hhbm5lbHMiOlsib3BlbnN1c2VfbGVhcDQyXzIt eDg2XzY0Il19.JxVqRuuhgLlPbtfXGX1pApnPy4RHAudQgZXQq CUQqyU':
Error code: Curl error 60
Error message: SSL certificate problem: unable to get local issuer certificate

I checked the wiki but couldn't find a solution. Even tried -rpm - Uvh http://<suma_server>/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm

Knowing openSUSE isn't "supported" I found it odd that there was no information on the wiki on how to get openSUSE 42.2 working with SUMA but there was CentOS information. I want to try and keep my environment all SUSE related but I guess if I can't get this working I'll travel down the CentOS 7 road. SLES 12sp2 clients are working great with salt.

ab
29-Mar-2017, 23:04
I have not tried this yet, but this error makes me think that your system
does not trust the certificate used by SUSE Manager, which may be fixable
by importing the CA from SUSE Manager into your system. I would expect
that could happen as part of the setup via Salt, but maybe not.

How is TLS/SSL setup in SUSE Manager? Is it a self-signed certificate, or
something trusted by third parties minted by a CA like Digicert?

Have you tried using other tools, like curl, to see if you can connect to
SUSE Manager properly and get a listing from the URI?



curl -v 'https://<suma_server>:443/rhn/manager/download/


If that does not work, try adding --insecure to the command to see if that
lets it get in, in which case it would seem to confirm you need to have
your client system trust SUMA's certificates.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

kwk
30-Mar-2017, 06:27
From the download URL I assume that you added openSUSE 42.2 as an external repository to SUSE Manager.

Please go to "Manage repositories" -> "Details" for this repo and uncheck "has signed metadata?". The click on "update repository" and try again.

dgersic
30-Mar-2017, 06:36
On Wed, 29 Mar 2017 22:04:41 +0000, ab wrote:

> I have not tried this yet, but this error makes me think that your
> system does not trust the certificate used by SUSE Manager, which may be
> fixable by importing the CA from SUSE Manager into your system. I would
> expect that could happen as part of the setup via Salt, but maybe not.

It should, but I've seen it not work. The SuMa server's cert needs to be
imported in to the cert store where curl looks for it. I don't recall the
exact details from tripping over this a couple of weeks ago, but this:

https://forums.opensuse.org/showthread.php/445106-How-to-import-root-CA-
into-system-wide-trusted-store

sounds about right. The location isn't too hard to figure out, but the
symlinks are non-obvious.


--
David Gersic
Knowledge Partner http://forums.microfocus.com
If you find this post helpful, please click on the star below.

D8TA
30-Mar-2017, 14:51
From the download URL I assume that you added openSUSE 42.2 as an external repository to SUSE Manager.

Please go to "Manage repositories" -> "Details" for this repo and uncheck "has signed metadata?". The click on "update repository" and try again.

My repos already have the Has Signed Metadata?: unchecked. I am pulling packages from http://mirrors.kernel.org/opensuse/distribution/leap/42.2

D8TA
30-Mar-2017, 14:55
I have not tried this yet, but this error makes me think that your system
does not trust the certificate used by SUSE Manager, which may be fixable
by importing the CA from SUSE Manager into your system. I would expect
that could happen as part of the setup via Salt, but maybe not.

How is TLS/SSL setup in SUSE Manager? Is it a self-signed certificate, or
something trusted by third parties minted by a CA like Digicert?

Have you tried using other tools, like curl, to see if you can connect to
SUSE Manager properly and get a listing from the URI?



curl -v 'https://<suma_server>:443/rhn/manager/download/


If that does not work, try adding --insecure to the command to see if that
lets it get in, in which case it would seem to confirm you need to have
your client system trust SUMA's certificates.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

Ok, the curl -v --insecure did work. I was able to get a connection. I am not sure how to get my client to trust the SUMA cert which is a self-signed cert.

* Connected to <suma_server> (IP Address) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server hello (2):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, CERT (11):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server finished (14):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: <omitted cert info>
* start date: 2017-03-20 16:46:22 GMT
* expire date: 2027-03-25 16:46:22 GMT
* issuer: <omitted cert info>
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* SSLv2, Unknown (23):
> GET /rhn/manager/download HTTP/1.1
> User-Agent: curl/7.37.0
> Host: <suma_server>
> Accept: */*
>
* SSLv2, Unknown (23):
< HTTP/1.1 302 Found
< Date: Thu, 30 Mar 2017 13:45:04 GMT
* Server Apache is not blacklisted
< Server: Apache
< X-Frame-Options: SAMEORIGIN
< Location: https://<suma_server>/rhn/Login.do?url_bounce=/rhn/manager/download&request_method=GET
< Content-Type: text/html;charset=UTF-8
< Content-Length: 0
< Set-Cookie: JSESSIONID=5919399B619BE5CD590E74E26B5FD4A0; Path=/; Secure; HttpOnly; HttpOnly;HttpOnly;Secure
< Set-Cookie: pxt-session-cookie=15x46b8d4340ac8e74f29828981a25864cffb5c9b75 9a43caef285c59ac5c801624; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly;HttpOnly;Secure
< Content-Security-Policy: default-src 'self' https: wss: ; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; img-src 'self' https: ;style-src 'self' https: 'unsafe-inline'
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Permitted-Cross-Domain-Policies: master-only
<
* Connection #0 to host <suma_server> left intact

D8TA
30-Mar-2017, 15:12
Something else I noticed, is there an easy way to change the GPG Check to no? Currently the value is ( p) Yes. Would that clear up my cert issue?


# | Alias | Name | Enabled | GPG Check | Refresh
11 | susemanager:opensuse_leap42_2-x86_64 | openSUSE Leap 42.2 (x86_64) | Yes | ( p) Yes | Yes
12 | susemanager:opensuse_leap42_2-x86_64-non-oss | openSUSE 42.2 non oss (x86_64) | Yes | ( p) Yes | Yes
13 | susemanager:opensuse_leap42_2-x86_64-non-oss-updates | openSUSE Leap 42.2 non oss Updates (x86_64) | Yes | ( p) Yes | Yes
14 | susemanager:opensuse_leap42_2-x86_64-updates | openSUSE Leap 42.2 Updates (x86_64) | Yes | ( p) Yes | Yes
15 | susemanager:spacewalk26-client-opensuse_leap_42_2-x86_64 | Spacewalk Client 2.6 openSUSE Leap 42.2 (x86_64) | Yes | ( p) Yes | Yes

kwk
31-Mar-2017, 07:34
The "Repository Checksum Type:" in "Channels" -> "Manage Software Channels" should be set to "sha256". What happens if you check "has signed metadata?"

jkinning
31-Mar-2017, 14:01
The "Repository Checksum Type:" in "Channels" -> "Manage Software Channels" should be set to "sha256". What happens if you check "has signed metadata?"

They are showing sha256 so I checked the has signed metadata but still get the same message after running zypper clean and then trying zypper ref or zypper up.
Error code: Curl error 60
Error message: SSL certificate problem: unable to get local issuer certificate

D8TA
06-Apr-2017, 14:05
No other solution or how I can get this cert problem corrected?

jkinning
12-Apr-2017, 18:04
Ok, I'll ask this question a different way. If I want to clear out the SUMA certificate from the openSUSE 42.2 host where or what would I remove? I have spent a pretty good amount of time trying to get this resolved and still keep getting the certificate error. I would prefer to stay with the SUSE family and use openSUSE for some Dev boxes and not use CentOS7 but there is more documentation on using CentOS7 and it works. I have had zero issues getting CentOS 7 working with SUMA. Just trying to figure out why openSUSE is so problematic or no easy way to clear out my certificate issue so my SUMA server can talk to my openSUSE client.

hwirths_nde
13-Apr-2017, 13:40
Registering clients via salt usually implies installing the CA certificate used by the SUMA on the new client machine. This is done applying the corresponding salt state during the boarding phase. However, the salt state cannot install the CA certificate on openSUSE 42.2 machines.

You might have another try to install it via the RPM provided by the SUMA, adding a 'pub' into the URL you already tried as shown below:
rpm -Uvh http://<suma_server>/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm

If this does not work, you can try to download the certificate file http://<suma_server>/pub/RHN-ORG-TRUSTED-SSL-CERT into the directory /etc/pki/trust/anchors on the openSUSE 42.2 machine and run 'update-ca-certificates' then.

Hopefully this will help you to get the repositories running on your openSUSE 42.2 client machine.

jkinning
17-Apr-2017, 19:14
Excellent!! Finally have this guy working. Thanks hwirths_nde!!