search

uyuni-project / uyuni

Source code for Uyuni
https://www.uyuni-project.org/
GNU General Public License v2.0
411 stars 171 forks source link

Certificate renewal fails with ERROR: No CA found for server certificate #8983

Open wizonet opened 2 days ago

wizonet commented 2 days ago

Problem description

I use a wildcard certificate from Let's Encrypt, which has to be renewed every three months.

This is actually a documented standard procedure that I always do in the same way - but there is now a problem with the command in the current renewal:

uyuni:~ # mgr-ssl-cert-setup --root-ca-file=/opt/cert/isrgrootx1.pem --intermediate-ca-file=/opt/cert/lets-encrypt-r3.pem --server-cert-file=/opt/cert/fullchain.pem --server-key-file=/opt/cert/privkey.pem

ERROR: No CA found for server certificate

Only the fullchain.pem and the privkey.pem are new. However, these are valid as I also use them in many other places (web server, firewall etc.).

The root and intermediate certificates have not changed either - they are from here: https://letsencrypt.org/certificates/

The renewal three months ago still worked without any problems with the same command

Steps to reproduce

  1. Generate a new wildcard certificate at Let's Encrypt
  2. Copy to uyuni server
  3. use mgr-ssl-cert-setup ...

Uyuni version

Repository     : uyuni-server-stable
Name           : Uyuni-Server-release
Version        : 2024.05-230900.217.1.uyuni3
Arch           : x86_64
Vendor         : obs://build.opensuse.org/systemsmanagement:Uyuni
Support Level  : Level 3
Installed Size : 1.4 KiB
Installed      : Yes
Status         : up-to-date
Source package : Uyuni-Server-release-2024.05-230900.217.1.uyuni3.src
Summary        : Uyuni Server
Description    : 
    Uyuni lets you efficiently manage physical, virtual,
    and cloud-based Linux systems. It provides automated and cost-effective
    configuration and software management, asset management, and system
    provisioning.

Uyuni proxy version (if used)

No response

Useful logs

No response

Additional information

No response

mcalmer commented 2 days ago

You give the fullchain.pem as server certificate. The command expect only the server cert here. The fullchain.pem can be provided with --intermediate-ca-file . This option can be used multiple times in this command.

wizonet commented 2 days ago

Ok, has this changed approximately 3 months ago? Because I use the fullchain.pem als server certificate in uyuni since years with exactly this command.

Also all apache vhosts and appliances accecpt the fullchain.pem as server certificate without any problem.

wizonet commented 2 days ago

Tried this - but it will also fail:

mgr-ssl-cert-setup --root-ca-file=/opt/cert/isrgrootx1.pem --intermediate-ca-file=/opt/cert/lets-encrypt-r3.pem --intermediate-ca-file=/opt/cert/fullchain.pem --server-cert-file=/opt/cert/cert.pem --server-key-file=/home/wzowim00/cert/privkey.pem After changing the server certificate please execute: $> spacewalk-service stop $> systemctl restart postgresql.service $> spacewalk-service start

As the CA certificate has been changed, please deploy the CA to all registered clients. On salt-managed clients, you can do this by applying the highstate. Failed to upload CA Certificate to DB: ERROR: can't find CA certificate at this location: -

ERROR: Failed to upload CA Certificate to DB

wizonet commented 2 days ago

I found this logfile, which contains the last successful attempt as well as the currently failed one.

/var/log/rhn/mgr-ssl-cert-setup.log: 2024/04/06 18:58:04 +02:00: /usr/lib/python3.6/site-packages/certs/mgr_ssl_cert_setup.py.processCommandline(103) - ['/usr/bin/mgr-ssl-cert-setup', '--root-ca-file=/opt/cert/isrgrootx1.pem', '--intermediate-ca-file=/opt/cert/lets-encrypt-r3.pem', '--server-cert-file=/opt/cert/fullchain.pem', '--server-key-file=/opt/cert/privkey.pem'] 2024/04/06 18:58:04 +02:00: /usr/lib/python3.6/site-packages/certs/mgr_ssl_cert_setup.py.deployApache(460) - After changing the server certificate please execute: $> spacewalk-service stop 2024/04/06 18:58:04 +02:00: /usr/lib/python3.6/site-packages/certs/mgr_ssl_cert_setup.py.deployPg(475) - $> systemctl restart postgresql.service 2024/04/06 18:58:08 +02:00: /usr/lib/python3.6/site-packages/certs/mgr_ssl_cert_setup.py.deployCAUyuni(518) - $> spacewalk-service start

As the CA certificate has been changed, please deploy the CA to all registered clients. On salt-managed clients, you can do this by applying the highstate.

2024/06/28 18:56:40 +02:00: /usr/lib/python3.6/site-packages/certs/mgr_ssl_cert_setup.py.processCommandline(117) - ['/usr/bin/mgr-ssl-cert-setup', '--root-ca-file=/opt/cert/isrgrootx1.pem', '--intermediate-ca-file=/opt/cert/lets-encrypt-r3.pem', '--server-cert-file=/opt/cert/fullchain.pem', '--server-key-file=/opt/cert/privkey.pem'] 2024/06/28 18:56:41 +02:00: /usr/lib/python3.6/site-packages/certs/mgr_ssl_cert_setup.py.writeError(713) - ERROR: No CA found for server certificate

mcalmer commented 2 days ago

For easier debugging it would be helpful when you could provide all the certificates. NOT the private key please :-)

wizonet commented 2 days ago

lets-encrypt-r3.zip

The ZIP include: lets-encrypt-r3.pem isrgroot1.pem fullchain.pem

I just download the lets-encrypt-r3.pem and isrgroot1.pem from https://letsencrypt.org/certificates/ and made a diff to my files, but there were no differences, so I think this root and intermediate certificate are still valid.