Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues
Updated
Issues on Satellite/Capsule server
- hammer ping shows candlepin in FAIL status with error Message: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) on Red Hat Satellite
- hammer ping shows candlepin FAIL with error Message: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) on Red Hat Satellite
- Red Hat Satellite Capsule 6 status shows as "error certificate verify failed (unable to get local issuer certificate)" on webUI
- The installation process for custom CA-signed certificates on Red Hat Satellite and Capsule fails due to an error related to invalid parameters
- Certificate Verify Failed (Hostname Mismatch) Error During CA-Signed SSL Certificate Installation in Red Hat Satellite and Capsule 6
- Upgrade to Red Hat Satellite Capsule fails with message ERF12-9411 ProxyException Unable to fetch public key.
- Configuring Red Hat Capsule 6.x with custom SSL certs fails with
Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)) for Capsule xxxxxxxx - The satellite-installer command generated by the
capsule-certs-generatecommand fails with ERROR: Unrecognised option '--certs-tar-file' - After upgrading to Red Hat Satellite 6.3 hammer failing with error "SSL error: hostname "localhost" does not match the server certificate"
- foreman-proxy log has many "OpenSSL::SSL::SSLError: SSL_accept SYSCALL returned=5 errno=0 state=SSLv2/v3 read client hello A /usr/share/ruby/openssl/ssl.rb:280:in `accept'" error
- Hammer commands failing with SSL certificate error on Red Hat Satellite 6.
- Capsule installation fails on registration to Satellite with 3rd party SSL CA
- Red Hat Satellite Capsule installation fails with ssl error: "SSL_connect returned=1 errno=0 state=error: certificate verify failed) for Capsule https://capsule.lab.example.com:9090/features"
- satellite-installer fails while configuring Self-signed or Custom CA issued certificates with an error Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]
- Modifying a satellite VMware's compute resource after changing vCenters SSL certificate
- In Red Hat Satellite6 :
satellite-installer --certs-update-alldoes not update CA certificates - Error while updating custom certs on Red Hat Satellite 6 Report processor failed: Could not send report to Foreman at https://sat1.example.com/api/reports: hostname sat1.example.com does not match the server certificate.
- When trying to update the self signed Cert with CA issued one, satellite-installer gives error on satellite 6
- Satellite 6 Custom SSL certificate not used by crane and foreman
- Enabling repository on Red Hat Satellite 6 fails with certificate verify failed.
- SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
- Custom Repository sync fails with an error 'RPM1004: Error retrieving metadata: A connection error occurred' on Satellite 6 server.
- [Satellite-6] Red Hat Satellite and Capsule sync is failing with SSL error
- Red Hat Satellite Capsule status throws error "ERF50-5345 [Foreman::WrappedException]: Unable to connect [ProxyAPI::ProxyException]"
Issues related to katello-certs-check
katello-certs-checkagainst a custom SSL certificate with non-RSA Private Key fails with an:error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:p_lib.c:287:- Katello-certs-check on Red Hat Satellite 6 fails with: satellite_cert.pem does not match the satellite_cert_key.pem
- katello-cert-check utility failing to verify the Server certificate details : line 189: [: ==: unary operator expected
- katello-cert-check utility failing on certificate does not allow for the Digital Signature key usage.
Issues on Content Hosts
- When subscribing host, receive error Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
- katello-server-ca.pem certificate missing under /etc/rhsm/ca on a content host registered to Red Hat Satellite 6
- Yum fails with 'Problem with the SSL CA cert path? access rights?' on clients registered to Satellite server
- [Satellite6] Updating SSL certificates after upgrading from 6.1 to 6.2 leaves client machines without a valid CA
- [Satellite 6] After updating SSL certificates on Satellite 6.x server and installing the new version of the katello-ca-consumer-* package on Satellite clients, the Satellite clients can no longer access the repositories on the Satellite server.
- Clients are unable to connect with the Red Hat Satellite 6 server due to recent expired AddTrust Root CA certificates.
How To
- How to check Custom SSL certificate information after Satellite 6.x is installed?
- How to change the hostname of a Red Hat Satellite 6 server and update associated SSL certificates?
- [Satellite6] Using 3rd party SSL certificates, how to check they were deployed successfully?
- How to setup Red Hat Satellite 6 with custom SSL certificates or renew existing?
- [Satellite6] How to force installer to generate new katello-ca-consumer-latest package (bootstrap RPM)?
- [Satellite6] Where can I get information what is the latest version of katello-ca-consumer package?
- How to revert from custom certificates to default certificates in RedHat satellite 6?
- How to check if a certificate is trusted by Red Hat Satellite?
Q & A
- Is it supported to move from the default self signed certificate for the Satellite Server to a private, company signed certificate?
- Can Red Hat Satellite 6.x be configured with a custom SSL certificate whose keys are 2048 bits rather than 4096 bits long?
- Is it possible to change Candlepin self-signed certificates on Satellite 6?
Useful Information
- Let's Encrypt DST X3 Root Certificate Expiration
- Satellite 6 Certificate Locations and Configurations
SBR
Product(s)
Components
Article Type