[caasp-beta] Adding additional trusted root certificates to the Nodes

Thorsten Kukuk kukuk at suse.com
Sat Jun 10 00:34:45 MDT 2017


Hi,

On Sat, Jun 10, Pieter Swartz wrote:

> Hi,
> 
>  
> 
> How do you add additional trusted root certificates to a node if /usr/share/pki
> /trust/anchors is a read-only file system? Initial registration of a node on
> SCC fails because:

You should not copy certificates into /usr/share/pki/trust/anchors, that's for
certificates delivered via RPM, but to /etc/pki/trust/anchors (that's for local
certificates).

But this currently does not really help, update-ca-certificates is not
able to scope with read-only root filesystem yet ...

Best solution (prefereable anyway, even for plain SLES): create an
RPM with the certificates you need, call update-ca-certificates in the
post install section, and install that on this machines. Makes the
certificate management and update much easier. And in this case, you
can even use /usr/share/pki/trust/anchors.

  Thorsten

> a)  Unable to provide a route to our Internet Proxy server,
> 
> b)  Unable to add the trusted CA certificates of the Internet Proxy server
> during the installation process
> 
> c)  What is the actual URL requirement for the Internet Proxy. Is it:
> 
> a.  http://scc.suse.com <- Required for registration
> 
> b.  http://updates.suse.com <- Required for patching
> 
> c.  http://169.254.169.254/openstack/ <- Required for docker images, etc
> 
>  
> 
> Kind Regards
> 
>  
> 
> Pieter de la Rey Swartz
> 
> Solution Design & Engineering (Linux)
> 
> JSE ITD-IM
> 
> T    +27 11 520-7463
> 
> M  +27 71 688 7058
> 
>  
> 
> 
> The views and opinions expressed in this message are those of
> the individual sender of this message and do not necessarily
> represent the views and opinions of the JSE. Consequently, the
> JSE does not accept responsibility for such views and opinions
> and this message should not be read as representing the views
> and opinions of the JSE or constitute binding terms and conditions
> without subsequent written confirmation and an authorizing resolution
> where required. Each page attached hereto must also be read in conjunction
> with this disclaimer and should any part of this message be unclear, the
> issue should be clarified with the Company Secretary of the JSE.
> 
> Confidentiality note: The message is intended for the addressee only.
> If you are not the intended recipient of this message, you are notified
> that any distribution, use of or copying of this communication is strictly
> prohibited. If you have received the communication in error, please notify
> the sender immediately.
> 
> JSE Limited, Reg. No. 2005/022939/06
> 
> 
> 

> _______________________________________________
> caasp-beta mailing list
> caasp-beta at lists.suse.com
> http://lists.suse.com/mailman/listinfo/caasp-beta


-- 
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg)


More information about the caasp-beta mailing list