Updating SSL Certificates on a Spacewalk Server

These set of instructions will explain how to update/replace the exisitng certificates properly on a Spacewalk server. Note, that these instructions ignore the fact of a proxy. Also it does not cover generating certificates and expect that pre-knowledge.

First of all, place the required certificates into the (already existing) folder
/root/ssl-build/$(hostname -s)/

The list of certificates/file names should/must be:
- server.crt - The public key
- server.key - The private key

You can also use the signing request file at this location called server.csr.

Next, make sure you have the matching CA Authority file at /root/ssl-build called RHN-ORG-TRUSTED-SSL-CERT (including chain).

Now, follow these steps and hope for no errors. One thing for you to test below is to generate the CA rpm first and distribute it to all your clients before updating the web server. Then might not have to update the clients manually afterwards...

openssl verify -CAfile /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT   /root/ssl-build/control/server.crt # Verify that your public certificate matches the CA
rhn-ssl-dbstore -v --ca-cert=/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT # Insert the CA into the Spacewalk DB
rhn-ssl-tool --gen-server --rpm-only --dir /root/ssl-build # Create the web server certificate RPM
export $VERSION
rpm -Uhv /root/ssl-build/$(hostname -s)/rhn-org-httpd-ssl-key-pair-control-*.noarch.rpm # Install the certificate RPM onto the web server
rhn-ssl-tool --gen-ca --dir=/root/ssl-build --rpm-only # Create the client RPM package with the CA certificate
rpm -Uhv /root/ssl-build/rhn-org-trusted-ssl-cert-*.noarch.rpm #If the server or a proxy is also configured as a client, also install the package.
cp /root/ssl-build/rhn-org-trusted-ssl-cert-*.noarch.rpm /var/www/html/pub # copy the files to the public web location
cp /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub # copy the files to the public web location

spacewalk-service stop # stop the spacewalk service
rm -Rf /var/lib/jabberd/db/* # clear the the jabberd DB
spacewalk-service start # start it all again and test

Now update all clients by installing the CA certtificate there. Note to update the system specific fields:

wget --no-check-certificate https://[spacewalk server]/pub/rhn-org-trusted-ssl-cert-[version].noarch.rpm
rpm -Uhv rhn-org-trusted-ssl-cert-*.noarch.rpm

If you are using the certificate at other places (i.e. deployment via Kickstart), remember to also verify it there. I had issues updating the kickstart profile from then onwards. After an upgrade from Spacewalk 2.4 to 2.5, this issue was solved. Apart from using the certificates for Kickstarts, I also used in one of the configuration channels. So maybe also check there to avoid future issues.