[Satellite-6] Red Hat Satellite and Capsule sync is failing with SSL error
Environment
- Red Hat Satellite 6
- Red Hat Capsule 6
Issue
- When trying to sync a Capsule, its throwing a traceback,
trace: ! "Traceback (most recent call last):\n\n File \"/usr/lib/python2.7/site-packages/pulp/agent/lib/dispatcher.py\",
line 108, in update\n report = handler.update(conduit, units, dict(options))\n\n
\ File \"/usr/lib/python2.7/site-packages/pulp_node/handlers/handler.py\",
line 161, in update\n bindings = RepositoryBinding.fetch(pulp_bindings,
conduit.consumer_id, repo_ids)\n\n File \"/usr/lib/python2.7/site-packages/pulp_node/handlers/model.py\",
line 534, in fetch\n http = bindings.bind.find_by_id(node_id, repo_id)\n\n
\ File \"/usr/lib/python2.7/site-packages/pulp/bindings/consumer.py\",
line 158, in find_by_id\n return self.server.GET(path)\n\n File \"/usr/lib/python2.7/site-packages/pulp/bindings/server.py\",
line 92, in GET\n return self._request('GET', path, queries)\n\n File
\"/usr/lib/python2.7/site-packages/pulp/bindings/server.py\", line 142,
in _request\n response_code, response_body = self.server_wrapper.request(method,
url, body)\n\n File \"/usr/lib/python2.7/site-packages/pulp/bindings/server.py\",
line 332, in request\n raise exceptions.ConnectionException(None, str(err),
None)\n\nConnectionException: (None, 'unknown protocol', None)\n"
- Capsule sync task fails with error,
error : SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
Resolution
- There is some network device like router,firewall,proxy,Riverbed WAN Optimizer in between which is modifying or offering its own SSL certificate, disable SSL on that device to solve this issue.
For more KB articles/solutions related to Red Hat Satellite 6.x Capsule Sync Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Capsule Sync Issues
For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues
Root Cause
- SSL certificate offered by Satellite is being modified in between sync,
Satellite offers certificate as below
####
.....0..1.0...U....US1.0...U....North Carolina1.0...U....Raleigh1.0...U.
..SomeOrg1.0...U....SomeOrgUnit1#0!..U....satellite.example.com0..
150522220601Z.
350524220601Z0s1.0...U....US1.0...U....North Carolina1.0...U.
..SomeOrg1.0...U....SomeOrgUnit1#0!..U....satellite.example.com0.."0
####
On Capsule can see connection reset(RST) is being send, on checking RST packet on Capsule tcpdump it shows certificate as below,
####
..ValiCert, Inc.1503..U...,ValiCert Class 2 Policy Validation Authority1!0...U....http://www.organizationtest.com/1 0...*.H..
.....info@organizationtest.com..0..1$0"..U....ValiCert Validation Network1.0...U.
..ValiCert, Inc.1503..U...,ValiCert Class 3 Policy Validation Authority1!0...U....http://www.organizationtest.com/1 0...*.H..
.....info@organizationtest.com..0..1.0...U....US1.0...U.
..VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2008 VeriSign, Inc. - For authorized use only1806..U.../VeriSign Universal Root Certification Authority..0..1.0...U....US1.0...U.
####
SBR
Product(s)
Category
Tags
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.