SuSE Manager: Difference between revisions
(3 intermediate revisions by the same user not shown) | |||
Line 283: | Line 283: | ||
=== Install certificate and key in the apache directories === | === Install certificate and key in the apache directories === | ||
Remove the previous version: | Remove the previous version: | ||
Install latest version: | Install latest version: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
# cd /root/ssl-build/susemgr | # cd /root/ssl-build/susemgr | ||
# rpm - | # rpm -Uvh $(grep -E "rhn-org-httpd-ssl-key-pair-.*.noarch.rpm" latest.txt) | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 300: | Line 297: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
I don't know the SuSE way to make it, but this works: | |||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
# cp -p /etc/apache2/ssl.crt/server.crt /etc/pki/tls/certs/spacewalk.crt | |||
# cp -p /etc/apache2/ssl.key/server.key /etc/pki/tls/private/spacewalk.key | |||
# cp -p /etc/apache2/ssl.key/server.key /etc/pki/tls/private/pg-spacewalk.key | |||
# chmod 0640 /etc/pki/tls/private/pg-spacewalk.key | |||
# chgrp postgres /etc/pki/tls/private/pg-spacewalk.key | |||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
# spacewalk-service restart | |||
# echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates | |||
notBefore=Nov 16 08:35:35 2022 GMT | |||
notAfter=Nov 16 08:35:35 2023 GMT | |||
</syntaxhighlight> | </syntaxhighlight> |
Latest revision as of 09:50, 23 November 2022
SuSE Manager
Channels
Refresh channle list
# mgr-sync refresh
List available channels
# mgr-sync list channels
Add Channel
# mgr-sync add channel <channel>
Delete Channel
# spacewalk-remove-channel -c <channel>
Create a frozen channel
Clone a channel (which is like a snapshot) and add a timestamp at the end of the name:
# spacecmd softwarechannel_clonetree -s '<syntaxhighlight channel or pool>' -x "s/\$/-$(date '+%Y-%m-%d_%H:%M:%S')/"
e.g.:
# spacecmd softwarechannel_clonetree -s 'sles12-sp3-pool-x86_64' -x "s/\$/-$(date '+%Y-%m-%d_%H:%M:%S')/"
will result in a new channel pool named e.g. sles12-sp3-pool-x86_64-2017-11-22_14:26:42
Compose your own channel
# spacecmd
spacecmd {SSM:0}> softwarechannel_create -n OpenSuSE -l opensuse -a x86_64 -c sha256
spacecmd {SSM:0}> repo_create -n opensuse-database-sles12-sp2-x86_64 -u https://download.opensuse.org/repositories/server:/database/SLE_12_SP2/
spacecmd {SSM:0}> repo_create -n opensuse-database-sles12-sp3-x86_64 -u https://download.opensuse.org/repositories/server:/database/SLE_12_SP3/
spacecmd {SSM:0}> repo_list
opensuse-database-sles12-sp2-x86_64
opensuse-database-sles12-sp3-x86_64
spacecmd {SSM:0}> softwarechannel_addrepo opensuse opensuse-database-sles12-sp2-x86_64
spacecmd {SSM:0}> softwarechannel_addrepo opensuse opensuse-database-sles12-sp3-x86_64
spacecmd {SSM:0}> quit
# spacewalk-repo-sync -c opensuse
Bootstrap
Create bootstrap repo
Do it for each channel!
# mgr-create-bootstrap-repo
Create bootstrap shell scripts in /srv/www/htdocs/pub/bootstrap
Do not forget to lookup the available activation keys
# spacecmd -s susemanager.server.de -u mytestuser -q activationkey_list
6-sles11-sp3-x86_64
6-sles11-sp4-x86_64
6-sles12-default
6-sles12-sp0-x86_64
6-sles12-sp1-x86_64
6-sles12-sp2-x86_64
6-sles12-sp3-x86_64
6-sles12-sp4-x86_64
6-sles12-sp5-x86_64
6-sles15-sp0-x86_64
6-sles15-sp1-x86_64
6-sles15-sp2-x86_64
# mgr-bootstrap --traditional --script=My-New-SLES11-SP4.sh --activation-keys=6-sles11-sp4-x86_64
Activation keys
List available activation keys
web: Systems -> Activation Keys
# spacecmd -q activationkey_list
6-sles11-sp3-x86_64
6-sles11-sp4-x86_64
6-sles12-sp0-x86_64
6-sles12-sp1-x86_64
6-sles12-sp2-x86_64
6-sles12-sp3-x86_64
spacecmd
Just some useful space commands
# spacecmd system_list
rhn-search
Cleanup the search index
# rhn-search cleanindex
Troubleshooting
Clients
Error code: Curl error 59 / Error message: failed setting cipher list: DEFAULT_SUSE
# zypper refresh
...
Error code: Curl error 59
Error message: failed setting cipher list: DEFAULT_SUSE
...
The reason is that zypper in newer versions calls curl with a specific cipher list named "DEFAULT_SUSE" which is not defined in curl version 7.37.0-37.17.1 (version 7.37.0-28.1 is OK).
Now get any kind of repository bound to your SuSE like the ISO this version was installed with:
# zypper addrepo --check --type yast2 'iso:///?iso=/install/OS/suse/iso/SLE-12-SP2-Server-DVD-x86_64-GM-DVD1.iso' 'SLES12-SP2-12.2-0'
Adding repository 'SLES12-SP2-12.2-0' ...........................................................................................................[done]
Repository 'SLES12-SP2-12.2-0' successfully added
Enabled : Yes
Autorefresh : No
GPG Check : Yes
Priority : 99
URI : iso:///?iso=/install/OS/suse/iso/SLE-12-SP2-Server-DVD-x86_64-GM-DVD1.iso
or enable it:
# zypper modifyrepo --enable SLES12-SP2-12.2-0
Reinstall zypper in the old version that does not call curl with the cipher list SUSE_DEFAULT:
# zypper install --force --repo SLES12-SP2-12.2-0 $(rpm --query --all *curl* --queryformat '%{NAME} ')
And disable the ISO repository:
# zypper modifyrepo --disable SLES12-SP2-12.2-0
Done.
Note: After some further debugging we found that the system path forces a wrong openssl library to come in place.
# curl --version ; zypper --version
curl 7.37.0 (x86_64-suse-linux-gnu) libcurl/7.37.0 OpenSSL/1.0.2h zlib/1.2.8 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
zypper 1.13.40
In our version of curl it should be OpenSSL/1.0.2j.
# rpm -qv openssl
openssl-1.0.2j-60.24.1.x86_64
# openssl version
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL 1.0.2j-fips 26 Sep 2016 (Library: OpenSSL 1.0.2h-fips 3 May 2016)
Ha! Ok... then after lookin at the system library path, we got a clue ;-):
# ldconfig -p | grep ssl
libssl.so.1.0.0 (libc6,x86-64) => /usr/lib/nsr/lib64/libssl.so.1.0.0
libssl.so.1.0.0 (libc6,x86-64) => /lib64/libssl.so.1.0.0
libssl.so.1.0.0 (libc6) => /usr/lib/nsr/libssl.so.1.0.0
libgnutls-xssl.so.0 (libc6,x86-64) => /usr/lib64/libgnutls-xssl.so.0
libevent_openssl-2.0.so.5 (libc6,x86-64) => /usr/lib64/libevent_openssl-2.0.so.5
libcommonssl.so (libc6,x86-64) => /usr/lib/nsr/lib64/libcommonssl.so
libcommonssl.so (libc6) => /usr/lib/nsr/libcommonssl.so
libcommonssl-9.2.1.so (libc6,x86-64) => /usr/lib/nsr/lib64/libcommonssl-9.2.1.so
The problem was a file in /etc/ld.so.conf.d/ which brought /usr/lib/nsr/lib64 in the system library path. There was another libssl.so.1.0.0 which was version 1.0.2h. OK. What to do?
# rm /etc/ld.so.conf.d/problematic.conf
# rm /etc/ld.so.cache
# ldconfig
Check the success:
# ldconfig -p | grep ssl
libssl.so.1.0.0 (libc6,x86-64) => /lib64/libssl.so.1.0.0
libgnutls-xssl.so.0 (libc6,x86-64) => /usr/lib64/libgnutls-xssl.so.0
libevent_openssl-2.0.so.5 (libc6,x86-64) => /usr/lib64/libevent_openssl-2.0.so.5
Now you just have to find a way to get your other stuff running without the manipulation at the system library path.
Last check for our case. Does our networker use it's own ssl libraries?
# ls -al /proc/$(pgrep --full /usr/sbin/nsrexecd)/map_files | egrep "lib(ssl|crypto)"
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bb73000-7f9d1bdc7000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bdc7000-7f9d1bec7000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bec7000-7f9d1bef3000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bfab000-7f9d1c00c000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1c00c000-7f9d1c10c000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1c10c000-7f9d1c116000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
Yep. Great!
Remove spacewalk from client
So the way to get rid spacewalk is:
# zypper remove --clean-deps spacewalksd spacewalk-check zypp-plugin-spacewalk spacewalk-client-tools
Register at SuSE Manager
After that reregister your server with the SuSE Manager like this:
# /usr/bin/wget --no-check-certificate -O - https://susemgr.server.tld/pub/bootstrap/yourbootstrap.sh | bash
Update SuSE Manager certificate
Create work place
# mkdir ~/ssl-build
# mkdir ~/ssl-build/$(hostname --short)
# cd ~/ssl-build
Build RHN-ORG-TRUSTED-SSL-CERT and rhn-org-trusted-ssl-cert-1.0-*.noarch.rpm
# rhn-ssl-tool --gen-ca --rpm-only --dir="~/ssl-build" --from-ca-cert=<path to your CA certificate file>
# openssl x509 -noout -subject -dates -in ~/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
subject=C = DE, O = Hosting, CN = My-CA
notBefore=Mar 22 12:28:05 2017 GMT
notAfter=Mar 22 12:38:05 2027 GMT
# ls -al ~/ssl-build/*.rpm
...
-rw-r--r-- 1 root root 18262 17. Nov 12:10 rhn-org-trusted-ssl-cert-1.0-17.noarch.rpm
-rw-r--r-- 1 root root 16672 17. Nov 12:10 rhn-org-trusted-ssl-cert-1.0-17.src.rpm
Generate CSR
# cd ~/ssl-build/$(hostname --short)
# declare -a hosts=( "susemgr.tld.de" "othername.tld.de" "anotheranothername.tld.de" )
# subject_without_cn='/C=DE/ST=Hamburg/L=Hamburg/O=Hosting/OU=Administration'
# emailAddress='suselinux-admin@tld.de'
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr -batch -subj "${subject_without_cn} ${emailAddress}/CN=${hosts[0]}/emailAddress=${emailAddress}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${hosts[0]}${hosts[1]:+,DNS:${hosts[1]}}${hosts[2]:+,DNS:${hosts[2]}}${hosts[3]:+,DNS:${hosts[3]}}${hosts[4]:+,DNS:${hosts[4]}}"))
Generating a RSA private key
...............................................++++
.................................................................................................................................................................++++
writing new private key to 'server.key'
-----
# openssl req -noout -in server.csr -text 2>/dev/null | grep -E "(CN|DNS:)"
verify OK
subject=C = DE, ST = Hamburg, L = Hamburg, O = Hosting, OU = Administration suselinux-admin@tld.de, CN = susemgr.tld.de, emailAddress = suselinux-admin@tld.de
DNS:susemgr.tld.de, DNS:othername.tld.de , DNS:anotheranothername.tld.de
Generate RPMs from certificate and key
# rhn-ssl-tool --gen-server --rpm-only --dir="/root/ssl-build"
...working...
Generating web server's SSL key pair/set RPM:
/root/ssl-build/susemgr/rhn-org-httpd-ssl-key-pair-susemgr-1.0-3.src.rpm
/root/ssl-build/susemgr/rhn-org-httpd-ssl-key-pair-susemgr-1.0-3.noarch.rpm
The most current SUSE Manager Proxy installation process against SUSE Manager hosted
requires the upload of an SSL tar archive that contains the CA SSL public
certificate and the web server's key set.
Generating the web server's SSL key set and CA SSL public certificate archive:
/root/ssl-build/susemgr/rhn-org-httpd-ssl-archive-susemgr-1.0-3.tar
Deploy the server's SSL key pair/set RPM:
(NOTE: the SUSE Manager or Proxy installers may do this step for you.)
The "noarch" RPM needs to be deployed to the machine working as a
web server, or SUSE Manager, or SUSE Manager Proxy.
Presumably 'susemgr.tld.de'.
Install certificate and key in the apache directories
Remove the previous version:
Install latest version:
# cd /root/ssl-build/susemgr
# rpm -Uvh $(grep -E "rhn-org-httpd-ssl-key-pair-.*.noarch.rpm" latest.txt)
Check:
# openssl x509 -noout -in /etc/apache2/ssl.crt/server.crt -dates
notBefore=Nov 16 08:35:35 2022 GMT
notAfter=Nov 16 08:35:35 2023 GMT
I don't know the SuSE way to make it, but this works:
# cp -p /etc/apache2/ssl.crt/server.crt /etc/pki/tls/certs/spacewalk.crt
# cp -p /etc/apache2/ssl.key/server.key /etc/pki/tls/private/spacewalk.key
# cp -p /etc/apache2/ssl.key/server.key /etc/pki/tls/private/pg-spacewalk.key
# chmod 0640 /etc/pki/tls/private/pg-spacewalk.key
# chgrp postgres /etc/pki/tls/private/pg-spacewalk.key
# spacewalk-service restart
# echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 16 08:35:35 2022 GMT
notAfter=Nov 16 08:35:35 2023 GMT