Skip to content

OpenSSL Certificates

Ladislav Slezák edited this page Feb 28, 2019 · 18 revisions

Introduction

When using the SCC default server address (https://scc.suse.com) for registration the SSL certificate is already present in the installation system, the SCC certificate is signed by a well known certificate authority.

But when using a custom SMT or RMT local registration server it is quite common to use a self-signed certificate or a certificate signed by an unknown certificate authority (usually your own).

In that case YaST displays a popup that the SSL communication failed.

Importing a Self-signed SSL Certificate

YaST supports importing a self-signed certificate automatically.

sle15-sp1-certificate-failure-new-gui-self-signed

:warning: When importing a self-signed certificate you should verify that the certificate subject and the issuer is correct and that the certificate fingerprint matches the expected value. Importing unknown or not verified certificates is a big security risk! :warning:

You should obtain the fingerprint value via a secure channel, the connection to the registration server will be as secure as the way how you verified the certificate. Importing an insecure certificate does not make the connection secure.

Importing a Certificate Signed by an Unknown Certificate Authority

Such certificates need to be imported manually, YaST cannot import custom certificates automatically. In that case you need to manually import the certificate into the system.

Installation

  • At the registration step switch to another console or press Ctrl+Alt+Shift+X combination in the graphical installation to start an xterm session (does not work in the text mode installation).
  • Save the certificate to the /etc/pki/trust/anchors/registration-server.pem file, you need to copy the certificate from disk, download it using curl, copy from an USB flash disk...
  • Update the certificate links:
    • SLE15-SP1 and newer: /usr/lib/YaST2/bin/install_ssl_certificates
    • SLE15 and older:
      • trust extract --format=openssl-directory --filter=ca-anchors --overwrite /var/lib/YaST2/ca-certificates
      • cp /var/lib/YaST2/ca-certificates/* /var/lib/ca-certificates/openssl
  • You might verify that the connection to the server now works correctly using the curl https://<your_registration_server> command.
  • Switch back to the installer and continue with the registration step.

sle15-sp1-certificate-failure-new

Installed System

  • Save the certificate to the /etc/pki/trust/anchors/registration-server.pem file, you need to copy the certificate from disk, download it using curl, copy from an USB flash disk...
  • Then run the update-ca-certificates script
  • You might verify that the connection to the server now works correctly using the curl command
  • Run the registration module

Details

The imported certificate is saved to /etc/pki/trust/anchors/registration-server.pem file into the installed system.

Disabling the SSL Verification

Using boot options pt.options=reg_ssl_verify reg_ssl_verify=0 you might disable the SSL verification for the registration server. That might be useful for testing or debugging purposes.

:warning: Disabling the SSL verification is a security risk! You should never disable the SSL verification in production systems or when connecting over insecure network! :warning:

The Internal SMT Servers

At the internal SUSE network there are two SMT servers available: https://smt.suse.de and https://smt.suse.cz servers.

Importing the certificate

  • At the registration step switch to a console or open an xterm session in graphical installation using the Ctrl+Alt+Shift+X combination.
  • Download the certificate: curl http://ca.suse.de/certificates/ca/SUSE_Trust_Root.crt > /etc/pki/trust/anchors/registration_server.pem
    • Note: The registration_server.pem file is copied to the installed system, if you use a different name you will need to install the certificate again into the system after the installation is finished.
  • Update the certificate links:
    • SLE15-SP1 and newer: /usr/lib/YaST2/bin/install_ssl_certificates
    • SLE15 and older:
      • trust extract --format=openssl-directory --filter=ca-anchors --overwrite /var/lib/YaST2/ca-certificates
      • cp /var/lib/YaST2/ca-certificates/* /var/lib/ca-certificates/openssl
    • You might verify that the secure connection to the server works, curl https://smt.suse.cz or curl https://smt.suse.cz should display an HTML page (although with a permission error) and the exit status should be 0.
  • Switch back to the installer and use the https://smt.suse.de or the https://smt.suse.cz SMT server address for registration. Both use the same root certificate referenced above, it will work in both cases.

Debugging and Testing

Some debugging and testing hints are in a separate document.

You can’t perform that action at this time.