Registering/provisioning a Content Host to/from an external capsule shows "Unable to verify server's identity: sslv3 alert bad certificate error"

Solution Verified - Updated

Environment

  • Red Hat Satellite 6.x
  • External Red Hat Capsule 6.x

Issue

  • Registering a Content Host from the external capsule give the below error:

      Unable to verify server's identity: sslv3 alert bad certificate error

  • Provisioning a server from the capsule shows the same error on console during the initial set up stage. Other configurations following this stage including puppet installation, IP address setup, etc. are not carried out.

Resolution

  • Satellite and External capsule must have the same/synchronised time.
  • Ensure NTP/chrony are running and are synced.

For more KB articles/solutions related to Red Hat Satellite 6.x Provisioning Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Provisioning related Issues

For more KB articles/solutions related to Red Hat Satellite 6.x Client Subscription Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Client Subscription Issues

Root Cause

  • External Capsule has a time skew from Satellite of 23 seconds.
  • NTP/chrony were running, but were not properly synced to servers.

Diagnostic Steps

  • Check the time on your capsule and compare it with the time on the satellite server using below commands :

      # hwclock; date

  • Depending on what is being used to sync time, run with ntp or chrony commands:

      # ntpq -pn
  # ntpq -c as
  # chronyc tracking

  • Below is an example where chrony is not synced:

      # chronyc tracking
  Reference ID    : 0.0.0.0 ()
  Stratum         : 0
  Ref time (UTC)  : Thu Jan 1 00:00:00 1970
  System time     : 0.000000000 seconds fast of NTP time
  Last offset     : +0.000000000 seconds
  RMS offset      : 0.000000000 seconds
  Frequency       : 0.000 ppm fast
  Residual freq   : +0.000 ppm
  Skew            : 0.000 ppm
  Root delay      : 0.000000 seconds
  Root dispersion : 0.000000 seconds
  Update interval : 0.0 seconds
  Leap status     : Not synchronised

  • Refer the official documentation on NTP and chrony.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.