mrepo icon indicating copy to clipboard operation
mrepo copied to clipboard

Published 20 hours ago verified publisher icon dagwieers

help with pointing to internal rhn satellite

Open mvanwinkle opened this issue 12 years ago • 8 comments

Greetings.

We're trying to use mrepo against an internal RHN satellite. I've read up on some of the RHEL tools for managing PKI stuff, but I don't know what the "best" / "shortest" way of handling this is.

During the mrepo server's creation, I registered it against RHN through a proxy, and now I'm wondering if I should just wipe the server and start clean; unless I can do something with "internal-satellite-server"'s keys.

Here's the output I'm getting:

rhel6s-x86_64: Mirror packages from rhns://internal-satellite-server/rhel-x86_64-server-6 to /app/mrepo/srcdir/rhel6s-x86_64/updates Traceback (most recent call last): File "/usr/bin/rhnget", line 517, in main() File "/usr/bin/rhnget", line 498, in main mirrorrhn(op.uri, op.destination) File "/usr/bin/rhnget", line 352, in mirrorrhn systemid = rhnlogin(url, path) File "/usr/bin/rhnget", line 319, in rhnlogin li = rpcServer.doCall(server.up2date.login, systemid) File "/usr/share/mrepo/up2date_client/rpcServer.py", line 234, in doCall ret = apply(method, args, kwargs) File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in call return self.__send(self.__name, args) File "/usr/share/mrepo/up2date_client/rpcServer.py", line 44, in _request1 ret = self._request(methodname, params) File "/usr/share/mrepo/rhn/rpclib.py", line 319, in _request request, verbose=self._verbose) File "/usr/share/mrepo/rhn/transports.py", line 171, in request headers, fd = req.send_http(host, handler) File "/usr/share/mrepo/rhn/transports.py", line 700, in send_http headers=self.headers) File "/usr/lib64/python2.6/httplib.py", line 914, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request self.endheaders() File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders self._send_output() File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output self.send(msg) File "/usr/lib64/python2.6/httplib.py", line 759, in send self.sock.sendall(str) File "/usr/share/mrepo/rhn/SSL.py", line 216, in write sent = self._connection.send(data) OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')] mrepo: Mirroring failed for rhns://internal-satellite-server/rhel-x86_64-server-6 with message: Failed with return code: 256

mvanwinkle avatar Aug 20 '12 20:08 mvanwinkle

Find the original RHN server certificate on the mrepo server (/usr/share/rhn/RHNS-CA-CERT), and replace it by the one from the internal-satellite server. I think this is done as part of registering the server (running mrepo) with the internal satellite as well.

I would recommend to register the server running mrepo with the RHN Satellite server it is pulling from. At the moment mrepo cannot pull from more than one RHN (satellite) server because of this, although there is an option sslCACert that you can configure in /etc/sysconfig/rhn/up2date to change the location of the certificate. I guess we could learn rhnget to use a different certificate and make mrepo expose this to rhnget. Maybe this deserves its own feature request (although nobody ever requested this...)

dagwieers avatar Aug 21 '12 12:08 dagwieers

Thanks for your response; I had gone through different permutations of registering the machine to RHN, to our satellite, etc, but somewhere a key must have gotten clogged or something. I'll try building again.

Another question: if the satellite is registered against an internal satellite (i.e. the satellite the machine is registered to is listed in /etc/sysconfig/rhn/up2date), does the URI rhns:///rhel-x86_64-server-ha-6 still point to rhn.redhat.com?

mvanwinkle avatar Aug 21 '12 13:08 mvanwinkle

On Tue, 21 Aug 2012, mvanwinkle wrote:

Thanks for your response; I had gone through different permutations of registering the machine to RHN, to our satellite, etc, but somewhere a key must have gotten clogged or something. I'll try building again.

Another question: if the satellite is registered against an internal satellite (i.e. the satellite the machine is registered to is listed in /etc/sysconfig/rhn/up2date), does the URI rhns:///rhel-x86_64-server-ha-6 still point to rhn.redhat.com?

Yes, an empty server-name means xmlrpc.rhn.redhat.com.

-- dag wieers, [email protected], http://dag.wieers.com/ -- dagit linux solutions, [email protected], http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]

dagwieers avatar Aug 21 '12 13:08 dagwieers

I'm successfully mirroring a channel. I need to mess around with it a bit more, but yeah, it would be cool to be able to specify the rhn server and the cert to use. Thanks for your help.

mvanwinkle avatar Aug 21 '12 19:08 mvanwinkle

Actually, the ability to specify what cert to use is even more useful when you want to install mrepo on the same box as your RHN satellite.

Then, this might also be nuts, but, another script (if you installed mrepo on the satellite) could potentially symlink the rpms from /var/satellite.

mvanwinkle avatar Aug 23 '12 15:08 mvanwinkle

Is there a way to pass the fqdn of the satellite RHN server you want to register against?

mvanwinkle avatar Aug 23 '12 16:08 mvanwinkle

rephrasing: /usr/bin/gensystemid - can I tell it what satellite I want to register against? Or does it just assume I want to create a system ID on the satellite the system is registered to?

mvanwinkle avatar Aug 23 '12 16:08 mvanwinkle

This is old, but I was looking at it recently. gensystemid uses whatever your rhn is configured for, so by default it's redhat rhn. If you have registered with your own satellite, it will try and register against that.

stephenjamieson avatar Jun 10 '14 21:06 stephenjamieson