subscription-manager commands fail with the error message: "Unable to verify server's identity: tlsv1 alert unknown ca"

Environment

• Red Hat Satellite 6
• Red Hat Subscription Manager or Yum

Issue

• subscription-manager fails with the following error message:

    [root@example ~]# subscription-manager list --available 
    Unable to verify server's identity: tlsv1 alert unknown ca
  

• Errors are seen in /var/log/rhsm/rhsm.log:

    2015-03-27 19:16:20,927 [DEBUG] subscription-manager @connection.py:469 - Making request: PUT /rhsm/consumers/3415b3fe-c201-4433-abdc-d1518b3c607f
    2015-03-27 19:16:20,946 [ERROR] subscription-manager @cache.py:150 - Error updating system data on the server
    2015-03-27 19:16:20,946 [ERROR] subscription-manager @cache.py:151 - tlsv1 alert unknown ca
  

• When using third party SSL/CA certs, subscription-manager gives tlsv1 errors while registering:

    # subscription-manager register --org="xxxx" --activationkey="xxxxxxxxxx" --force
    The system has been registered with ID: 
    Unable to verify server's identity: tlsv1 alert unknown ca
  

• same error can appear when using yum:

    # yum check-update
    Loaded plugins: package_upload, product-id, search-disabled-repos,
    subscription-manager
    *tlsv1 alert unknown ca*
  

Resolution

1. This issue is typically seen when there are incorrect entries in /etc/rhsm/rhsm.conf. Double check the configuration by executing:

    # subscription-manager config
   
    *Note:*  It is  also possible you can fix this by doing the following
   
    #subscription-manager clean
   
    Then retry your subscription-manager command
   

2. Check if the katello-ca-consumer-*-fqdn-*.noarch rpm is installed on the system:

    # rpm -qa | grep katello
    katello-ca-consumer-satellite.example.com-1.0-1.noarch
   

   Note: If the system is being registered to a Satellite server, make sure if the certificate provided by the katello-ca-consumer-satellite.example.com-1.0-1.noarch is the same one used on the Satellite server.

3. Use openssl commands to verify the certificates:

   • On the Satellite:

       [Not applicable when configured custom certificates]
       # openssl verify -CAfile /etc/pki/katello/certs/katello-default-ca.crt /etc/pki/katello/certs/katello-apache.crt
       /etc/pki/katello/certs/katello-apache.crt: OK
       # md5sum /etc/pki/katello/certs/katello-default-ca.crt
     

   • On the Client:

       # md5sum /etc/rhsm/ca/katello-server-ca.pem
       # openssl  s_client -connect satellite.example.com:443 -CAfile /etc/rhsm/ca/katello-server-ca.pem  -verify 3
       [..SNIP...]
           Start Time: 1427760662
           Timeout   : 300 (sec)
           Verify return code: 0 (ok)
     

4. If the issue persists, try to modify the value for the parameter ssl_verify_depth on /etc/rhsm/rhsm.conf is set to 1. This parameter sets the number of certificates which should be used to verify the servers identity.

    # openssl  s_client -connect satellite.example.com:443 -CAfile /etc/rhsm/ca/katello-server-ca.pem  -verify 1
    [..SNIP...]
        Start Time: 1427760662
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    
    # vim /etc/rhsm/rhsm.conf
       ssl_verify_depth = 1
    
    # subscription-manager refresh
    # subscription-manager list --available
   

5. Restore the /etc/rhsm/rhsm.conf file to its original state:

    # mv /etc/rhsm/rhsm.conf.kat-backup /etc/rhsm/rhsm.conf
    # subscription-manager unregister
    # subscription-manager refresh
    # subscription-manager register
    # subscription-manager list --available
   

Important: If the system needs to register directly to the Red Hat Customer Portal instead of a Satellite, the katello-ca-consumer package should be removed from the system.

# rpm -e katello-ca-consumer-satellite.example.com-1.0-1.noarch

Note: If while trying to sort this issue you deleted the profile of your system on Satellite, you will need to run subscription-manager clean to re-register it.

For more KB articles/solutions related to Red Hat Satellite 6.x Client Subscription Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Client Subscription Issues

Root Cause

• katello-ca-consumer package installed on the system.
• Wrong ssl_verify_depth configuration on the /etc/rhsm/rhsm.conf

Diagnostic Steps

• Check the /var/log/rhsm/rhsm.log file for errors related to incorrect CA Certificate

2014-11-07 13:30:37,311 [ERROR] subscription-manager @cache.py:219 - Consumer certificate is invalid
2014-11-07 13:30:37,318 [DEBUG] subscription-manager @connection.py:414 - Loaded CA certificates from /etc/rhsm/ca/: katello-server-ca.pem, candlepin-stage.pem, redhat-uep.pem, candlepin-local.pem
2014-11-07 13:30:37,320 [DEBUG] subscription-manager @connection.py:446 - Making request: GET /rhsm/consumers/2c4d5baa-b7d4-43f5-b90f-8b40269460f4/entitlements?exclude=certificates.key&exclude=certificates.cert
2014-11-07 13:30:37,363 [DEBUG] subscription-manager @cache.py:494 - Problem attmepting to get entitlements from the server
2014-11-07 13:30:37,364 [DEBUG] subscription-manager @cache.py:495 - tlsv1 alert unknown ca
2014-11-07 13:30:38,091 [DEBUG] rhsm-debug @plugins.py:533 - loaded plugin modules: []
2014-11-07 13:30:38,092 [DEBUG] rhsm-debug @plugins.py:534 - loaded plugins: {}
2014-11-07 13:30:38,093 [DEBUG] rhsm-debug @profile.py:97 - Loading current RPM profile.
2014-11-07 13:30:38,312 [INFO] rhsm-debug @managercli.py:288 - Client Versions: {'python-rhsm': '1.12.5-1.el7', 'subscription-manager': '1.10.14-9.el7_0'}
2014-11-07 13:30:38,314 [INFO] rhsm-debug @connection.py:659 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/rhsm/ca/, insecure = False
2014-11-07 13:30:38,314 [INFO] rhsm-debug @connection.py:670 - Connection Built: host: satellite.example.com, port: 443, handler: /rhsm
2014-11-07 13:30:38,315 [INFO] rhsm-debug @connection.py:666 - Using no auth
2014-11-07 13:30:38,315 [INFO] rhsm-debug @connection.py:670 - Connection Built: host: satellite.example.com, port: 443, handler: /rhsm
2014-11-07 13:30:38,355 [DEBUG] rhsm-debug @connection.py:414 - Loaded CA certificates from /etc/rhsm/ca/: katello-server-ca.pem, candlepin-stage.pem, redhat-uep.pem, candlepin-local.pem
2014-11-07 13:30:38,355 [DEBUG] rhsm-debug @connection.py:446 - Making request: GET /rhsm/
2014-11-07 13:30:38,539 [DEBUG] rhsm-debug @connection.py:469 - Response: status=200
2014-11-07 13:30:38,544 [DEBUG] rhsm-debug @connection.py:686 - Server supports the following resources:
2014-11-07 13:30:38,545 [DEBUG] rhsm-debug @connection.py:687 - {'available_releases': '/katello/api/available_releases', 'distributors': '/katello/api/distributors/', 'content_overrides': '/katello/api/content_overrides', 'environments': '/katello/api/environments/', 'content_views': '/katello/api/content_views/', 'content_view_filters': '/katello/api/content_view_filters/', 'puppet_modules': '/katello/api/puppet_modules/', 'host_collections': '/katello/api/host_collections/', 'guestids': '/katello/api/guestids', 'systems': '/katello/api/systems/', 'gpg_keys': '/katello/api/gpg_keys/', 'status': '/katello/api/status/', 'capsules': '/katello/api/capsules/', 'users': '/katello/api/users/', 'sync_plans': '/katello/api/sync_plans/', 'subscriptions': '/katello/api/subscriptions/', 'content_view_versions': '/katello/api/content_view_versions/', 'packages': '/katello/api/packages/', 'organizations': '/katello/api/organizations/', 'package_groups': '/katello/api/package_groups/', 'repository_sets': '/katello/api/repository_sets/', 'repositories': '/katello/api/repositories/', 'products': '/katello/api/products/', 'activation_keys': '/katello/api/activation_keys/', 'errata': '/katello/api/errata/'}
2014-11-07 13:30:38,549 [DEBUG] rhsm-debug @connection.py:414 - Loaded CA certificates from /etc/rhsm/ca/: katello-server-ca.pem, candlepin-stage.pem, redhat-uep.pem, candlepin-local.pem
2014-11-07 13:30:38,550 [DEBUG] rhsm-debug @connection.py:446 - Making request: GET /rhsm/status
2014-11-07 13:30:39,078 [DEBUG] rhsm-debug @connection.py:469 - Response: status=200
2014-11-07 13:30:39,082 [INFO] rhsm-debug @managercli.py:299 - Server Versions: {'candlepin': '1.5.0-30.el7sat-Katello', 'server-type': 'Red Hat Subscription Management'}
2014-11-07 13:30:39,083 [DEBUG] rhsm-debug @identity.py:130 - Loading consumer info from identity certificates.
2014-11-07 13:30:39,090 [DEBUG] rhsm-debug @connection.py:414 - Loaded CA certificates from /etc/rhsm/ca/: katello-server-ca.pem, candlepin-stage.pem, redhat-uep.pem, candlepin-local.pem
2014-11-07 13:30:39,092 [DEBUG] rhsm-debug @connection.py:446 - Making request: GET /rhsm/consumers/2c4d5baa-b7d4-43f5-b90f-8b40269460f4/owner
2014-11-07 13:30:39,143 [ERROR] rhsm-debug @managercli.py:156 - Unable to create zip file of system information: tlsv1 alert unknown ca
2014-11-07 13:30:39,143 [ERROR] rhsm-debug @managercli.py:157 - tlsv1 alert unknown ca
Traceback (most recent call last):
  File "/usr/share/rhsm/rhsm_debug/debug_commands.py", line 92, in _do_command
    owner = self.cp.getOwner(consumer.uuid)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 883, in getOwner
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 550, in request_get
    return self._request("GET", method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 453, in _request
    conn.request(request_type, handler, body=body, headers=headers)
  File "/usr/lib64/python2.7/httplib.py", line 973, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1007, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 969, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 829, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 791, in send
    self.connect()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect
    sock.connect((self.host, self.port))
  File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl, self._timeout)
SSLError: tlsv1 alert unknown ca

• From the above log file, its evident that the subscription-manager service is loading the katello CA certs, which in turn fails with the error SSLError: tlsv1 alert unknown ca.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.