Hi Paul,
From what I can see the salt event fired from the Uyuni proxy does not get the certificate, but for the moment I don’t really know why.
On fetch-certificate
script:
event.fire_master({}, REQUEST_TAG) # send event to master
data = event.get_event(
full=False, auto_reconnect=True, no_block=False, match_type='fnmatch', tag=RESPONSE_TAG, wait=WAIT_RESPONSE)
print(data)
‘data’ returned is empty.
I have created
https://github.com/uyuni-project/uyuni/issues/5573 to centralize the findings.
Regards,
Philippe.
From: Paul-Andre Panon <ppanon@sierrawireless.com>
Sent: 16 June 2022 20:02
To: Bidault, Philippe <Philippe.Bidault@Getronics.com>
Cc: General discussion related to the openSUSE Uyuni project <users@lists.uyuni-project.org>
Subject: RE: Problem setting up an Uyuni Proxy
CAUTION: This email originated from outside of the organization. Do
not click links or open attachments unless you recognize the sender and know the content is safe.
Bonjour Phillipe,
Well, our server is at 2022.05 so presumably the proxy would be trying to install the same version in our case. I started trying to look through the code to figure out what was going on, but I wound up having to work on other higher priorities since. I did
figure out that the Requesting certificate from server. Messages are coming from /usr/sbin/fetch-certificate, which is called by configure-proxy.sh, but that was about as far as I got. I hope to look at it more next week.
Cheers,
Paul-Andre Panon
From: Bidault, Philippe <Philippe.Bidault@Getronics.com>
Sent: Wednesday, June 15, 2022 7:56 AM
To: Paul-Andre Panon <ppanon@sierrawireless.com>
Cc: General discussion related to the openSUSE Uyuni project <users@lists.uyuni-project.org>
Subject: RE: Problem setting up an Uyuni Proxy
Hi Paul-André,
I tried some weeks ago, and had the exact same behaviour:
# configure-proxy.sh --answer-file=/tmp/proxyanswers.txt
Requesting certificate from server. [1/20]
^CRequesting certificate from server. [2/20]
Requesting certificate from server. [3/20]
Requesting certificate from server. [4/20]
Requesting certificate from server. [5/20]
Requesting certificate from server. [6/20]
Requesting certificate from server. [7/20]
Requesting certificate from server. [8/20]
Requesting certificate from server. [9/20]
Requesting certificate from server. [10/20]
Requesting certificate from server. [11/20]
Requesting certificate from server. [12/20]
Requesting certificate from server. [13/20]
Requesting certificate from server. [14/20]
Requesting certificate from server. [15/20]
Requesting certificate from server. [16/20]
Requesting certificate from server. [17/20]
Requesting certificate from server. [18/20]
Requesting certificate from server. [19/20]
Requesting certificate from server. [20/20]
Certificate not received from server. Exit.
/etc/sysconfig/rhn/systemid:1: parser error : Document is empty
^
unable to parse /etc/sysconfig/rhn/systemid
SUSE Manager Parent [uyuni]: uyuni.gms.test
Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP Proxy []:
Traceback email [philippe.bidault@getronics.com]:
philippe.bidault@getronics.com
You will now need to either generate or import an SSL certificate.
This SSL certificate will allow client systems to connect to this Uyuni Proxy
securely. Refer to the Uyuni Proxy Installation Guide for more information.
Do you want to import existing certificates? [N]: N
Organization [XX]: XX
Organization Unit [XX]: XX
Common Name [uyuni_proxy]: uyuni_proxy
City [XX]: XX
State [XX]: XX
Country code [XX]: XX
Email [philippe.bidault@getronics.com]:
philippe.bidault@getronics.com
Cname aliases (separated by space) [uyuni_proxy]: uyuni_proxy
Using CA key at /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY.
Generating SSL key and public certificate.
Rotated out: 'server.key.6'
Backup made: 'server.key' --> 'server.key.1'
File 'rhn-server-openssl.cnf' is identical to its rotation. Nothing to do.
Rotated out: 'server.csr.6'
Backup made: 'server.csr' --> 'server.csr.1'
Rotated out: 'server.crt.6'
Backup made: 'server.crt' --> 'server.crt.1'
Installing SSL certificates:
XXX: User postgres does not exist
XXX: Group postgres does not exist
cp: '/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT' and '/etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT' are the same file
WARNING: upon deactivation attempt: unknown error - <Fault -12: 'redstone.xmlrpc.XmlRpcFault: method invalid param'>
There was a problem activating the SUSE Manager Proxy entitlement:
WARNING: upon deactivation attempt: unknown error - <Fault -12: 'redstone.xmlrpc.XmlRpcFault: method invalid param'>
Proxy activation failed! Installation interrupted.
WARNING: upon deactivation attempt: unknown error - <Fault -12: 'redstone.xmlrpc.XmlRpcFault: method invalid param'>
But was thinking of an incompatibly between proxy version vs server, as the proxy is v2022.05 and my server is 2022.02.
Have you found something ? if not, will have to open an issue as seems that we are at least 2 with this.
Philippe.
Philippe Bidault | Unix Engineer | Getronics
M. 34617301667 |
E. Philippe.Bidault@Getronics.com |
W. www.getronics.com
Follow us on:
Getronics CMC Service Desk Iberia S.L - VAT No:S.L.: B66686262.
Registered Office - Getronics CMC Service Desk Iberia S.L, C/Rosselloi, Porcel, 21 planta 11, 08016 Barcelona, Spain.
The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons
and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. Thank you.
Legal disclaimer:
http://www.getronics.com/legal/
and further details of how we treat your personal data can be found in our
privacy policy
From: Paul-Andre Panon via Uyuni Users <users@lists.uyuni-project.org>
Sent: 13 June 2022 12:49
To: users@lists.uyuni-project.org
Cc: Paul-Andre Panon <ppanon@sierrawireless.com>
Subject: Problem setting up an Uyuni Proxy
CAUTION: This email originated from outside of the organization. Do
not click links or open attachments unless you recognize the sender and know the content is safe.
I’m trying to set up an Uyuni proxy (using the proxy pattern) . It’s a bit of an unusual configuration:
1. Uyuni server is a different domain
2. Have network connectivity but not DNS resolution
3. Application level firewall in between to networks
4. Certificates are signed by a separate internal Intermediate [+root] CA
The networks will eventually get more integrated, but to get around 1 & 2, the proxy is in the server’s host file, and the server and internal CA are in the proxy’s host file.
This seems to work well enough to get the proxy system registered as a minion/client with the Uyuni server. However, once I’ve created the cert for the proxy, when trying to run configure-proxy.sh, we get
Requesting certificate from server. [1/20]
…
Requesting certificate from server. [20/20]
Certificate not received from server. Exit.
/etc/sysconfig/rhn/systemid:1: parser error : Document is empty
^
unable to parse /etc/sysconfig/rhn/systemid
SUSE Manager Parent [Uyuni_server.FQDNl]:
Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP Proxy []:
Traceback email []: <removed spammer bait>
You will now need to either generate or import an SSL certificate.
This SSL certificate will allow client systems to connect to this Uyuni Proxy
securely. Refer to the Uyuni Proxy Installation Guide for more information.
Do you want to import existing certificates? [y/N]: y
Path to CA SSL certificate: []: /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
Path to the Proxy Server's SSL key: []: /root/ssl-build/<proxy>.key
Path to the Proxy Server's SSL certificate: []: /root/ssl-build/<proxy>.crt
Installing SSL certificates:
XXX: User postgres does not exist
XXX: Group postgres does not exist
cp: '/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT' and '/etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT' are the same file
WARNING: upon deactivation attempt: unknown error - <Fault -12: 'redstone.xmlrpc.XmlRpcFault: method invalid param'>
There was a problem activating the SUSE Manager Proxy entitlement:
WARNING: upon deactivation attempt: unknown error - <Fault -12: 'redstone.xmlrpc.XmlRpcFault: method invalid param'>
Proxy activation failed! Installation interrupted.
WARNING: upon deactivation attempt: unknown error - <Fault -12: 'redstone.xmlrpc.XmlRpcFault: method invalid param'>
There were some answers you had to enter manually.
Would you like to have written those into file
formatted as answers file? [Y/n]: y
Writing proxy-answers.txt.u4qp3
I’m hoping the first few errors aren’t too much of an issue. I’m not sure what I would have missed, step wise, to lead to the SUSE Manager Proxy entitlement errors. I didn’t find anything obvious through a google search for those errors. The CA certs have been
installed on the proxy, so if I try to use wget to fetch a file from the pub folder on the Uyuni server, it has no apparent problems with cert verification.
I appreciate any suggestions or pointers you can offer.
Thanks,
Paul-Andre Panon