-
Notifications
You must be signed in to change notification settings - Fork 21
OpenSSL Certificates
When using the SCC default server address (https://scc.suse.com) for registration the SSL certificate is already present in the installation system, the SCC certificate is signed by a well known certificate authority.
But when using a custom SMT or RMT local registration server it is quite common to use a self-signed certificate or a certificate signed by an unknown certificate authority (usually your own).
In that case YaST displays a popup that the SSL communication failed.
YaST supports importing a self-signed certificate automatically.
⚠️ When importing a self-signed certificate you should verify that the certificate subject and the issuer is correct and that the certificate fingerprint matches the expected value. Importing unknown or not verified certificates is a big security risk!⚠️
You should obtain the fingerprint value via a secure channel, the connection to the registration server will be as secure as the way how you verified the certificate. Importing an insecure certificate does not make the connection secure.
Such certificates need to be imported manually, YaST cannot import custom certificates automatically. In that case you need to manually import the certificate into the system.
- At the registration step switch to another console or press
Ctrl+Alt+Shift+X
combination in the graphical installation to start anxterm
session (does not work in the text mode installation). - Save the certificate to the
/etc/pki/trust/anchors/registration-server.pem
file, you need to copy the certificate from disk, download it usingcurl
, copy from an USB flash disk... - Update the certificate links:
- SLE15-SP1 and newer:
/usr/lib/YaST2/bin/install_ssl_certificates
- SLE15 and older:
trust extract --format=openssl-directory --filter=ca-anchors --overwrite /var/lib/YaST2/ca-certificates
cp /var/lib/YaST2/ca-certificates/* /var/lib/ca-certificates/openssl
- SLE15-SP1 and newer:
- You might verify that the connection to the server now works correctly using the
curl https://<your_registration_server>
command. - Switch back to the installer and continue with the registration step.
- Save the certificate to the
/etc/pki/trust/anchors/registration-server.pem
file, you need to copy the certificate from disk, download it usingcurl
, copy from an USB flash disk... - Then run the
update-ca-certificates
script - You might verify that the connection to the server now works correctly using the
curl
command - Run the registration module
The imported certificate is saved to /etc/pki/trust/anchors/registration-server.pem
file into the installed system.
Using boot options pt.options=reg_ssl_verify reg_ssl_verify=0
you might disable the SSL verification for the registration server. That might be useful for testing or debugging purposes.
⚠️ Disabling the SSL verification is a security risk! You should never disable the SSL verification in production systems or when connecting over insecure network!⚠️
At the internal SUSE network there are two SMT servers available: https://smt.suse.de and https://smt.suse.cz servers.
- At the registration step switch to a console or open an xterm session in graphical installation using the
Ctrl+Alt+Shift+X
combination. - Download the certificate:
curl http://ca.suse.de/certificates/ca/SUSE_Trust_Root.crt > /etc/pki/trust/anchors/registration_server.pem
- Note: The
registration_server.pem
file is copied to the installed system, if you use a different name you will need to install the certificate again into the system after the installation is finished.
- Note: The
- Update the certificate links:
- SLE15-SP1 and newer:
/usr/lib/YaST2/bin/install_ssl_certificates
- SLE15 and older:
trust extract --format=openssl-directory --filter=ca-anchors --overwrite /var/lib/YaST2/ca-certificates
cp /var/lib/YaST2/ca-certificates/* /var/lib/ca-certificates/openssl
- You might verify that the secure connection to the server works,
curl https://smt.suse.cz
orcurl https://smt.suse.cz
should display an HTML page (although with a permission error) and the exit status should be 0.
- SLE15-SP1 and newer:
- Switch back to the installer and use the
https://smt.suse.de
or thehttps://smt.suse.cz
SMT server address for registration. Both use the same root certificate referenced above, it will work in both cases.
Some debugging and testing hints are in a separate document.