satellite-installer fails while configuring Self-signed or Custom CA issued certificates with an error Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]

Environment

• Red Hat Satellite 6
• Red Hat Enterprise Linux 6 and 7
• Custom SSL certificates for Satellite and/or Capsule

Issue

• Installer fails with below error while configuring custom CA certs.

Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=error: certificate verify failed) for Capsule https://satellite.example.com:9090/features Please check the Capsule is configured and running on the host.
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.com]/ensure: change from absent to present failed: Proxy satellite.example.com cannot be registered (422 Unprocessable Entity): Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=error: certificate verify failed) for Capsule https://satellite.example.com:9090/features Please check the Capsule is configured and running on the host.
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.com]: Failed to call refresh: Proxy satellite.example.com cannot be registered (ApipieBindings::MissingArgumentsError: id): N/A
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.com]: Proxy satellite.example.com cannot be registered (ApipieBindings::MissingArgumentsError: id): N/A

Resolution

• Ensure DNS has configured properly for FQDN resolution.
• Make sure Red Hat Satellite does not have IPTables/Firewall restrictions for required ports. Satellite 6.2:Ports and Firewalls Requirements
• Please make sure that you are not using the same common name for the server certificate and CA certificate.
• If Satellite uses some 3rd party server certificate instead of the default self-signed, then neither Capsules can use the default self-signed cert.
• If the issue is while installing the Red Hat Capsule server, then confirm whether the SSL certificates for Capsule are signed by the same intermediate and root CA bundle who signed the Satellite server's SSL certificate. For more on this topic, follow this solution
• Follow the below steps to generate the certificate and apply to the satellite:

 # mv  /root/ssldir/* /tmp/
 # cd /root/ssldir
 # openssl genrsa -out rootCA.key 2048
 # openssl req -x509 -new -nodes -key rootCA.key -days 365 -out rootCA.crt

NOTE: Common Name should be different from the Satellite server's FQDN

# openssl genrsa -out example.key 2048
# openssl req -new -key example.key -out example.csr
# openssl x509 -req -in example.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out example.crt -days 365
# /usr/sbin/katello-certs-check -c example.crt -k example.key -r example.csr -b rootCA.crt
# satellite-installer --scenario satellite --certs-server-cert /root/ssldir/example.crt --certs-server-cert-req /root/ssldir/example.csr  --certs-server-key /root/ssldir/example.key  --certs-server-ca-cert /root/ssldir/rootCA.crt --certs-update-server --certs-update-server-ca

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

For more KB articles/solutions related to Red Hat Satellite 6.x Installation/Upgrade/Update Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Installation/Upgrade/Update Issues.

Root Cause

• CA certificate common name should not same as that of the server certificate.
• Firewall/iptables blocking or redirecting the connection.

Diagnostic Steps

• There will be lookup errors while running the following command:

# openssl verify -CAfile rootCA.pem satellite.example.com.crt
error 18 at 0 depth lookup:self signed certificate
OK

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.