Spacewalk Certificate has expired!

UPDATE: The replacement certificate mentioned in this article expired July 13, 2018. Please see the link to the spacewalk project github wiki https://github.com/spacewalkproject/spacewalk/wiki/Refreshing-certificate posted in the comments by Dipak. Thank you for sharing!

I woke up this morning to a disturbing email from my CentOS 6.5 server running spacewalk 2.1:

Dear Spacewalk User,

 

This email is being sent to you to inform you that your Spacewalk Certificate has expired on your myserverFQDN server. After 7 day(s) the systems management services provided by your Spacewalk Server will be restricted for 24 days.

After that the services will become inaccessible.

 

 

Thank you for using Spacewalk.

–the Spacewalk Team

Browsing to the login page also prompts you with a similar message.

Your satellite certificate has expired. Please visit the following link for steps on how to request or generate a new certificate:https://access.redhat.com/knowledge/tools/satcert Your satellite enters restricted period in 6 day(s).

It was unpleasant to wake up to because I remember how much of a PITA it was to get my certificates to play nice with tomcat, jabber, and all of the other spacewalk components during the initial deployment. After some research I found that this certificate has nothing to do with the SSL certs I’d dealt with in the past. These alerts are in regards to a PGP certificate used for licensing and activation of spacewalk. Unfortunately there is not a lot of recent documentation on this. I did come across an article here https://fedorahosted.org/spacewalk/wiki/CertCreation that looked like it might be useful, and after downloading the attached template, downloading the perl script, and installing the perl prerequisites, I came to a hard stop on one of the last steps with this error:

RHN::Exception: invalid root
RHN::Cert /usr/share/perl5/vendor_perl/RHN/Cert.pm 52 RHN::Exception::throw
main gen-oss-sat-cert.pl 62 RHN::Cert::parse_cert

After some more research I found admins that were having this issue in 2010 here https://www.redhat.com/archives/spacewalk-list/2010-July/msg00042.html. They were able to overcome the issue by downloading a copy of the latest certificate. With this, I began to focus my research on a newer certificate hoping I could just replace the expired one with one redhat created for a newer version of spacewalk. Fortunately I was able to find an admin here https://www.redhat.com/archives/spacewalk-list/2014-December/msg00039.html that provided output on a newer certificate that expires in 2018. After some slight modifications to make it match the format found in the existing certificate, I came up with this:

<?xml version="1.0" encoding="UTF-8"?>
<rhn-cert version="0.1">
 <rhn-cert-field name="product">SPACEWALK-001</rhn-cert-field>
 <rhn-cert-field name="owner">Spacewalk Default Organization</rhn-cert-field>
 <rhn-cert-field name="issued">2007-07-13 00:00:00</rhn-cert-field>
 <rhn-cert-field name="expires">2018-07-13 00:00:00</rhn-cert-field>
 <rhn-cert-field name="slots">20000</rhn-cert-field>
 <rhn-cert-field name="monitoring-slots">20000</rhn-cert-field>
 <rhn-cert-field name="provisioning-slots">20000</rhn-cert-field>
 <rhn-cert-field name="virtualization_host">20000</rhn-cert-field>
 <rhn-cert-field name="virtualization_host_platform">20000</rhn-cert-field>
 <rhn-cert-field name="satellite-version">spacewalk</rhn-cert-field>
 <rhn-cert-field name="generation">2</rhn-cert-field>
 <rhn-cert-signature>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEABECAAYFAlNg/40ACgkQnnKdrwaUeTIXqwCgmRiTmzFuO7x3bitYPWcJFsZe
UPgAn0kTzWo7xUGDpedM0No9nEnWa84P
=FTXc
-----END PGP SIGNATURE-----
</rhn-cert-signature>
</rhn-cert>

To apply this new certificate, begin by making a backup of /usr/share/spacewalk/setup/spacewalk-public.cert.

cp /usr/share/spacewalk/setup/spacewalk-public.cert /usr/share/spacewalk/setup/spacewalk-public.cert.old

Then create the new certificate file using the output above or:

wget -P /usr/share/spacewalk/setup https://kernelmanic.com/wp-content/uploads/2015/07/spacewalk-public.cert

And finally, run the command:

rhn-satellite-activate --rhn-cert /usr/share/spacewalk/setup/spacewalk-public.cert --disconnected

The command should return the following output:

Pushing scout configs to all monitoring scouts

I then reloaded the web interface login screen for spacewalk and the error message was gone! So far everything seems to be functioning normally. Fingers crossed…

30 thoughts on “Spacewalk Certificate has expired!”

  1. Thanks for this post. I was scratching my head just yesterday on the same expiration message. “Which cert? SSL? GPG? I need more coffee!”

  2. Bravo! Very timely post. I wonder how many people will be working for “Spacewalk Default Organization” after this.

    Really though, thanks. This worked like a charm (for the next three years).

  3. I got two Spacewalk servers on version 2.2 also got these messages, after ran the diff between original /usr/share/spacewalk/setup/spacewalk-public.cert with the one from your post, found out they are identical.

    Therefore I only need to ran the last command and resolved this issue.

    Cheers,

    1. Hi, yes, I noticed the same thing. The expiry date in my existing cert was set to 2018, so I only had to run the last command.
      Anyway, a nice writeup!

  4. Thank you for making the effort to write about this after figuring out the cryptic error message.

    Like another commenter, I noticed that the existing “spacewalk-public.cert” is the same as you present here, and only the “rhn-satellite-activate” command was really needed for me.

  5. I would like to thank you for your post. It baffles me (as it I am sure it did you) how little documentation is out there for this. I am forever grateful for your post as I was not looking forward to creating gpg keys and signing this, that and the other thing. Kudos.

    Shawn Faulkingham

  6. Was busy checking SSL certs before I found this reference. No problems yet after updating cert as specified. Thanks!

  7. The updated certificate has now expired and i have started to receive this notification on a couple of Spacewalk 2.3 servers. The certificate expiration date is 2018-07-13 which was yesterday. Does anyone know where i can get an updated certificate??

    1. Looks like 2.8 has been released. I’ll build one today or tomorrow and share the certificate it ships with.

    1. Yeah. I just stood up a server and installed the 2.9 nightly and it also has the same cert. I’ll be on the lookout and post when I find something.

  8. Thanks Dipak, found the same link yesterday from a Bugzilla report and can confirm that the GPG key and updated public cert fixed the issue on a 2.3 Spacewalk server.

    It also mentions that a solution would be to upgrade to Spacewalk 2.5 (or higher) as these versions are not using entitlement certificate anymore.

    https://bugzilla.redhat.com/show_bug.cgi?id=1600868

  9. I have Spacewalk 2.6 and my certificate is expired. The above linke did not help in certificate extension.

    Can you please help with the latest certificate for Spacewalk 2.6.

Leave a Reply to Morten Middelthon Cancel reply

Your email address will not be published.