When trying to update the self signed Cert with CA issued one, satellite-installer gives error on satellite 6

Solution Verified - Updated 24 Feb 2025

Environment

Red Hat Satellite 6

Issue

When trying to update the self-signed Cert with Custom/External CA issued one, satellite-installer gives an error.

We have this error when we try to update the self-signed cert with our Custom/External CA generated cert.

# satellite-installer --scenario satellite \
--certs-server-cert /root/sat_cert/satellite_cert.pem \
--certs-server-key /root/sat_cert/satellite_cert_key.pem \
--certs-server-ca-cert /root/sat_cert/ca_cert_bundle.pem \
--certs-update-server --certs-update-server-ca
Marking certificate /root/ssl-build/abcd.xyz.com/abcd.xyz.com-apache for update
Marking certificate /root/ssl-build/abcd.xyz.com/abcd.xyz.com-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update
Command '/usr/share/katello-installer/bin/katello-certs-check -c "/root/sat_cert/satellite_cert.pem"  -k " 
/root/sat_cert/satellite_cert_key.pem" -b "/root/sat_cert/ca_cert_bundle.pem"' exited with 4:
Validating the certificate subject= /L=City/ST=State/C=US/O=Company/OU=Department/CN=abcd.xyz.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [FAIL]
The /root/sat_cert/ca_cert_bundle.pem does not verify the /root/sat_cert/satellite_cert.pem
/root/sat_cert/satellite_cert.pem: C = US, O = Company, OU = Company Service Association, CN = Company 
Information Delivery Internal CA error 2 at 1 depth lookup:unable to get issuer certificate

We are unable to to install SSL certificate on the satellite server:

  # satellite-installer --certs-server-cert "/sat_cert/satellite_cert.pem" --certs-server-key "/root/sat_cert/satellite_cert_key.pem" --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem" --certs-update-server --certs-update-server-ca
  2025-02-23 22:17:53 [NOTICE] [root] Loading installer configuration. This will take some time.
  2025-02-23 22:17:57 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
  2025-02-23 22:17:57 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
  Checking server certificate encoding:
  [OK]

  Checking expiration of certificate:
  [OK]

  .
  .
  .

  Checking CA bundle against the certificate file:
  [FAIL]

  The /root/sat_cert/ca_cert_bundle.pem does not verify the /root/sat_cert/satellite_cert.pem
  CN=satellite.example.com
  error 20 at 0 depth lookup: unable to get local issuer certificate
  error /root/sat_cert/satellite_cert.pem: verification failed

  Checking CA bundle size: 1
  [OK]

  .
  .
  .

  Checking CA signing algorithm for sha1:
  [OK]

Resolution

If you have both the root CA's certificate and the intermediat CA's certificate in separate PEM files then you need to merge them into a single file:

# cat Intermediate.crt CAroot.crt > ca_cert_bundle.pem

Verify the server certificate through new CA bundle:

# openssl verify -CAfile  /root/sat_cert/ca_cert_bundle.pem  /root/sat_cert/satellite_cert.pem

Once you get the complete certificates, validate them by using the katello-certs-check command:

$ katello-certs-check -c /root/sat_cert/satellite_cert.pem  -k  /root/sat_cert/satellite_cert_key.pem -b  /root/sat_cert/ca_cert_bundle.pem

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

Error 20 mentioned above, means that the Intermediate certificate (or at least, the certificate for the Issuer of the server certificate) is missing.

Diagnostic Steps

To verify that the Satellite's SSL certificate has been signed by an intermediate CA, examine the output of the following commands:

  # openssl x509 -in /root/sat_cert/satellite_cert.pem -text | egrep '(Issuer:|Subject:)'

  # openssl x509 -in /root/sat_cert/ca_cert_bundle.pem -text | egrep '(Issuer:|Subject:)'

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

ca-certificates

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.