UPDATE: The replacement certificate mentioned in this article expired July 13, 2018. Please see the link to the spacewalk project github wiki https://github.com/spacewalkproject/spacewalk/wiki/Refreshing-certificate posted in the comments by Dipak. Thank you for sharing!
I woke up this morning to a disturbing email from my CentOS 6.5 server running spacewalk 2.1:
Dear Spacewalk User,
This email is being sent to you to inform you that your Spacewalk Certificate has expired on your myserverFQDN server. After 7 day(s) the systems management services provided by your Spacewalk Server will be restricted for 24 days.
After that the services will become inaccessible.
Thank you for using Spacewalk.
–the Spacewalk Team
Browsing to the login page also prompts you with a similar message.
Your satellite certificate has expired. Please visit the following link for steps on how to request or generate a new certificate:https://access.redhat.com/knowledge/tools/satcert Your satellite enters restricted period in 6 day(s).
It was unpleasant to wake up to because I remember how much of a PITA it was to get my certificates to play nice with tomcat, jabber, and all of the other spacewalk components during the initial deployment. After some research I found that this certificate has nothing to do with the SSL certs I’d dealt with in the past. These alerts are in regards to a PGP certificate used for licensing and activation of spacewalk. Unfortunately there is not a lot of recent documentation on this. I did come across an article here https://fedorahosted.org/spacewalk/wiki/CertCreation that looked like it might be useful, and after downloading the attached template, downloading the perl script, and installing the perl prerequisites, I came to a hard stop on one of the last steps with this error:
RHN::Exception: invalid root
RHN::Cert /usr/share/perl5/vendor_perl/RHN/Cert.pm 52 RHN::Exception::throw
main gen-oss-sat-cert.pl 62 RHN::Cert::parse_cert
After some more research I found admins that were having this issue in 2010 here https://www.redhat.com/archives/spacewalk-list/2010-July/msg00042.html. They were able to overcome the issue by downloading a copy of the latest certificate. With this, I began to focus my research on a newer certificate hoping I could just replace the expired one with one redhat created for a newer version of spacewalk. Fortunately I was able to find an admin here https://www.redhat.com/archives/spacewalk-list/2014-December/msg00039.html that provided output on a newer certificate that expires in 2018. After some slight modifications to make it match the format found in the existing certificate, I came up with this:
<?xml version="1.0" encoding="UTF-8"?> <rhn-cert version="0.1"> <rhn-cert-field name="product">SPACEWALK-001</rhn-cert-field> <rhn-cert-field name="owner">Spacewalk Default Organization</rhn-cert-field> <rhn-cert-field name="issued">2007-07-13 00:00:00</rhn-cert-field> <rhn-cert-field name="expires">2018-07-13 00:00:00</rhn-cert-field> <rhn-cert-field name="slots">20000</rhn-cert-field> <rhn-cert-field name="monitoring-slots">20000</rhn-cert-field> <rhn-cert-field name="provisioning-slots">20000</rhn-cert-field> <rhn-cert-field name="virtualization_host">20000</rhn-cert-field> <rhn-cert-field name="virtualization_host_platform">20000</rhn-cert-field> <rhn-cert-field name="satellite-version">spacewalk</rhn-cert-field> <rhn-cert-field name="generation">2</rhn-cert-field> <rhn-cert-signature> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEABECAAYFAlNg/40ACgkQnnKdrwaUeTIXqwCgmRiTmzFuO7x3bitYPWcJFsZe UPgAn0kTzWo7xUGDpedM0No9nEnWa84P =FTXc -----END PGP SIGNATURE----- </rhn-cert-signature> </rhn-cert>
To apply this new certificate, begin by making a backup of /usr/share/spacewalk/setup/spacewalk-public.cert.
cp /usr/share/spacewalk/setup/spacewalk-public.cert /usr/share/spacewalk/setup/spacewalk-public.cert.old
Then create the new certificate file using the output above or:
wget -P /usr/share/spacewalk/setup https://kernelmanic.com/wp-content/uploads/2015/07/spacewalk-public.cert
And finally, run the command:
rhn-satellite-activate --rhn-cert /usr/share/spacewalk/setup/spacewalk-public.cert --disconnected
The command should return the following output:
Pushing scout configs to all monitoring scouts
I then reloaded the web interface login screen for spacewalk and the error message was gone! So far everything seems to be functioning normally. Fingers crossed…