Problem setting up an Uyuni Proxy
I'm trying to set up an Uyuni proxy (using the proxy pattern) . It's a bit of an unusual configuration:
1. Uyuni server is a different domain
2. Have network connectivity but not DNS resolution
3. Application level firewall in between to networks
4. Certificates are signed by a separate internal Intermediate [+root] CA
The networks will eventually get more integrated, but to get around 1 & 2, the proxy is in the server's host file, and the server and internal CA are in the proxy's host file.
This seems to work well enough to get the proxy system registered as a minion/client with the Uyuni server. However, once I've created the cert for the proxy, when trying to run configure-proxy.sh, we get
Requesting certificate from server. [1/20]
...
Requesting certificate from server. [20/20]
Certificate not received from server. Exit.
/etc/sysconfig/rhn/systemid:1: parser error : Document is empty
^
unable to parse /etc/sysconfig/rhn/systemid
SUSE Manager Parent [Uyuni_server.FQDNl]:
Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP Proxy []:
Traceback email []: <removed spammer bait>
You will now need to either generate or import an SSL certificate.
This SSL certificate will allow client systems to connect to this Uyuni Proxy
securely. Refer to the Uyuni Proxy Installation Guide for more information.
Do you want to import existing certificates? [y/N]: y
Path to CA SSL certificate: []: /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
Path to the Proxy Server's SSL key: []: /root/ssl-build/<proxy>.key
Path to the Proxy Server's SSL certificate: []: /root/ssl-build/<proxy>.crt
Installing SSL certificates:
XXX: User postgres does not exist
XXX: Group postgres does not exist
cp: '/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT' and '/etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT' are the same file
WARNING: upon deactivation attempt: unknown error -
Hi Paul-André,
I tried some weeks ago, and had the exact same behaviour:
# configure-proxy.sh --answer-file=/tmp/proxyanswers.txt
Requesting certificate from server. [1/20]
^CRequesting certificate from server. [2/20]
Requesting certificate from server. [3/20]
Requesting certificate from server. [4/20]
Requesting certificate from server. [5/20]
Requesting certificate from server. [6/20]
Requesting certificate from server. [7/20]
Requesting certificate from server. [8/20]
Requesting certificate from server. [9/20]
Requesting certificate from server. [10/20]
Requesting certificate from server. [11/20]
Requesting certificate from server. [12/20]
Requesting certificate from server. [13/20]
Requesting certificate from server. [14/20]
Requesting certificate from server. [15/20]
Requesting certificate from server. [16/20]
Requesting certificate from server. [17/20]
Requesting certificate from server. [18/20]
Requesting certificate from server. [19/20]
Requesting certificate from server. [20/20]
Certificate not received from server. Exit.
/etc/sysconfig/rhn/systemid:1: parser error : Document is empty
^
unable to parse /etc/sysconfig/rhn/systemid
SUSE Manager Parent [uyuni]: uyuni.gms.test
Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP Proxy []:
Traceback email [philippe.bidault@getronics.com]: philippe.bidault@getronics.commailto:philippe.bidault@getronics.com
You will now need to either generate or import an SSL certificate.
This SSL certificate will allow client systems to connect to this Uyuni Proxy
securely. Refer to the Uyuni Proxy Installation Guide for more information.
Do you want to import existing certificates? [N]: N
Organization [XX]: XX
Organization Unit [XX]: XX
Common Name [uyuni_proxy]: uyuni_proxy
City [XX]: XX
State [XX]: XX
Country code [XX]: XX
Email [philippe.bidault@getronics.com]: philippe.bidault@getronics.commailto:philippe.bidault@getronics.com
Cname aliases (separated by space) [uyuni_proxy]: uyuni_proxy
Using CA key at /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY.
Generating SSL key and public certificate.
Rotated out: 'server.key.6'
Backup made: 'server.key' --> 'server.key.1'
File 'rhn-server-openssl.cnf' is identical to its rotation. Nothing to do.
Rotated out: 'server.csr.6'
Backup made: 'server.csr' --> 'server.csr.1'
Rotated out: 'server.crt.6'
Backup made: 'server.crt' --> 'server.crt.1'
Installing SSL certificates:
XXX: User postgres does not exist
XXX: Group postgres does not exist
cp: '/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT' and '/etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT' are the same file
WARNING: upon deactivation attempt: unknown error -
Bonjour Phillipe,
Well, our server is at 2022.05 so presumably the proxy would be trying to install the same version in our case. I started trying to look through the code to figure out what was going on, but I wound up having to work on other higher priorities since. I did figure out that the Requesting certificate from server. Messages are coming from /usr/sbin/fetch-certificate, which is called by configure-proxy.sh, but that was about as far as I got. I hope to look at it more next week.
Cheers,
Paul-Andre Panon
From: Bidault, Philippe
Hi Paul,
From what I can see the salt event fired from the Uyuni proxy does not get the certificate, but for the moment I don't really know why.
On fetch-certificate script:
event.fire_master({}, REQUEST_TAG) # send event to master
data = event.get_event(
full=False, auto_reconnect=True, no_block=False, match_type='fnmatch', tag=RESPONSE_TAG, wait=WAIT_RESPONSE)
print(data)
'data' returned is empty.
I have created https://github.com/uyuni-project/uyuni/issues/5573 to centralize the findings.
Regards,
Philippe.
From: Paul-Andre Panon
participants (2)
-
Bidault, Philippe
-
Paul-Andre Panon