kickstartfile-sync failed, cobbler-sync failed
Hi, since some weeks we receive (usually after a reboot of the Uyuni server) "TASCOMATIC NOTICATIONS": Subtask kickstartfile-sync failed. Subtask cobbler-sync failed. At the log file /var/log/rhn/rhn_taskomatic_daemon.log we see messages like these one: 2023-01-30 18:15:00,201 [DefaultQuartzScheduler_Worker-12] ERROR com.redhat.rhn.manager.kickstart.cobbler.CobblerLoginCommand - XmlRpcFault while logging in. most likely user doesn't have permissions. redstone.xmlrpc.XmlRpcFault: <class 'ssl.SSLError'>:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852) 2023-01-30 18:16:00,116 [DefaultQuartzScheduler_Worker-17] ERROR com.redhat.rhn.taskomatic.task.CobblerSyncTask - Message: We had an error trying to login. 2023-01-30 18:16:00,116 [DefaultQuartzScheduler_Worker-17] ERROR com.redhat.rhn.taskomatic.task.CobblerSyncTask - Cause: {} redstone.xmlrpc.XmlRpcFault: <class 'ssl.SSLError'>:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852) + 2023-01-30 18:37:00,057 [DefaultQuartzScheduler_Worker-9] ERROR com.redhat.rhn.taskomatic.task.CobblerSyncTask - Stack trace:com.redhat.rhn.manager.kickstart.cobbler.NoCobblerTokenException: We had an error trying to login. [..] Caused by: redstone.xmlrpc.XmlRpcFault: <class 'ssl.SSLError'>:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852) Actually we renewed our internal Root-CA certificate last month, added a new certificate chain to /etc/apache2/ssl.crt/ and included it in /etc/apache2/vhosts.d/vhost-ssl.conf . Webbrowsers show the updated certificate chain. Initially we forgot to add the new Root-CA-certificate to /etc/ssl/certs/ (+ run "update-ca-certificates") but this has been fixed meanwhile. I wonder if /etc/ssl/ca-bundle.pem is used by Apache Tomcat for validation of SSL-server certificates? Any other idea? Regards, Tobias Crefeld.
You also need to update the certificate for jabberd and you should also add this new root CA to the system certificates path. Am 30. Jan. 2023, 18:54, um 18:54, "Crefeld, Tobias LKV Bayern e.V." <tobias.crefeld@lkv.bayern.de> schrieb:
Hi,
since some weeks we receive (usually after a reboot of the Uyuni server) "TASCOMATIC NOTICATIONS": Subtask kickstartfile-sync failed. Subtask cobbler-sync failed.
At the log file /var/log/rhn/rhn_taskomatic_daemon.log we see messages like these one:
2023-01-30 18:15:00,201 [DefaultQuartzScheduler_Worker-12] ERROR com.redhat.rhn.manager.kickstart.cobbler.CobblerLoginCommand - XmlRpcFault while logging in. most likely user doesn't have permissions. redstone.xmlrpc.XmlRpcFault: <class 'ssl.SSLError'>:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
2023-01-30 18:16:00,116 [DefaultQuartzScheduler_Worker-17] ERROR com.redhat.rhn.taskomatic.task.CobblerSyncTask - Message: We had an error trying to login. 2023-01-30 18:16:00,116 [DefaultQuartzScheduler_Worker-17] ERROR com.redhat.rhn.taskomatic.task.CobblerSyncTask - Cause: {} redstone.xmlrpc.XmlRpcFault: <class 'ssl.SSLError'>:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
+
2023-01-30 18:37:00,057 [DefaultQuartzScheduler_Worker-9] ERROR com.redhat.rhn.taskomatic.task.CobblerSyncTask - Stack trace:com.redhat.rhn.manager.kickstart.cobbler.NoCobblerTokenException: We had an error trying to login. [..] Caused by: redstone.xmlrpc.XmlRpcFault: <class 'ssl.SSLError'>:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
Actually we renewed our internal Root-CA certificate last month, added a new certificate chain to /etc/apache2/ssl.crt/ and included it in /etc/apache2/vhosts.d/vhost-ssl.conf . Webbrowsers show the updated certificate chain. Initially we forgot to add the new Root-CA-certificate to /etc/ssl/certs/ (+ run "update-ca-certificates") but this has been fixed meanwhile.
I wonder if /etc/ssl/ca-bundle.pem is used by Apache Tomcat for validation of SSL-server certificates?
Any other idea?
Regards, Tobias Crefeld.
Hi Robert, thank you for your hints! There is no jabberd. Looking at the docs it seems that it is only used for "Traditional Clients". We run salt client only. Meanwhile I found the reason for the error: update-ca-certificates at openSUSE doesn't work as on other Linux-OS. Usually I put the (root-) cert into the directory /etc/ssl/certs/ , run the script and the system's CA bundle gets updated. At openSUSE this script is removing the new root-certificate from this directory without using it. On the other hand, a server certificate that has been saved there doesn't get removed... I found the solution at https://unix.stackexchange.com/questions/80131/how-do-i-install-a-system-wid... : At openSUSE I have to push the new root-CA to /etc/pki/trust/anchors/ and the script is collecting it to build the new ca bundle. After some minutes the two jobs returned to work. To answer my question: It seems that Apache-Tomcat is using the CA bundle of the OS. Thanks, Tobias. -----Ursprüngliche Nachricht----- Von: Robert Paschedag [mailto:robert.paschedag@web.de] Gesendet: Montag, 30. Januar 2023 19:13 An: Paul-Andre Panon via Uyuni Users <users@lists.uyuni-project.org> Betreff: Re: kickstartfile-sync failed, cobbler-sync failed You also need to update the certificate for jabberd and you should also add this new root CA to the system certificates path. Am 30. Jan. 2023, 18:54, um 18:54, "Crefeld, Tobias LKV Bayern e.V." <tobias.crefeld@lkv.bayern.de> schrieb:
Hi,
since some weeks we receive (usually after a reboot of the Uyuni server) "TASCOMATIC NOTICATIONS": Subtask kickstartfile-sync failed. Subtask cobbler-sync failed.
At the log file /var/log/rhn/rhn_taskomatic_daemon.log we see messages like these one:
2023-01-30 18:15:00,201 [DefaultQuartzScheduler_Worker-12] ERROR com.redhat.rhn.manager.kickstart.cobbler.CobblerLoginCommand - XmlRpcFault while logging in. most likely user doesn't have permissions. redstone.xmlrpc.XmlRpcFault: <class 'ssl.SSLError'>:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
2023-01-30 18:16:00,116 [DefaultQuartzScheduler_Worker-17] ERROR com.redhat.rhn.taskomatic.task.CobblerSyncTask - Message: We had an error trying to login. 2023-01-30 18:16:00,116 [DefaultQuartzScheduler_Worker-17] ERROR com.redhat.rhn.taskomatic.task.CobblerSyncTask - Cause: {} redstone.xmlrpc.XmlRpcFault: <class 'ssl.SSLError'>:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
+
2023-01-30 18:37:00,057 [DefaultQuartzScheduler_Worker-9] ERROR com.redhat.rhn.taskomatic.task.CobblerSyncTask - Stack trace:com.redhat.rhn.manager.kickstart.cobbler.NoCobblerTokenException: We had an error trying to login. [..] Caused by: redstone.xmlrpc.XmlRpcFault: <class 'ssl.SSLError'>:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
Actually we renewed our internal Root-CA certificate last month, added a new certificate chain to /etc/apache2/ssl.crt/ and included it in /etc/apache2/vhosts.d/vhost-ssl.conf . Webbrowsers show the updated certificate chain. Initially we forgot to add the new Root-CA-certificate to /etc/ssl/certs/ (+ run "update-ca-certificates") but this has been fixed meanwhile.
I wonder if /etc/ssl/ca-bundle.pem is used by Apache Tomcat for validation of SSL-server certificates?
Any other idea?
Regards, Tobias Crefeld.
participants (2)
-
Crefeld, Tobias LKV Bayern e.V. -
Robert Paschedag