Red Hat Satellite Capsule status throws error "ERF50-5345 [Foreman::WrappedException]: Unable to connect [ProxyAPI::ProxyException]"

Solution Verified - Updated

Environment

  • Red Hat Satellite 6.x

Issue

  • When Custom SSL certificates updated on Red Hat Satellite server, the in-build Red Hat Satellite Capsule status from the Red Hat Satellite 6 WebUI --> Infrastructure --> Capsules > Status) shows the following error:

     [Satellite 6.x] - ERF50-5345 [Foreman::WrappedException]: Unable to connect [ProxyAPI::ProxyException]: ERF12-1764 [ProxyAPI::ProxyException]: Unable to detect version ([OpenSSL::SSL::SSLErro...)

  • Satellite is not able to connect capsule on port 9090

    [Satellite 6.x] - ERF50-5345 [Foreman::WrappedException]: Unable to connect [ProxyAPI::ProxyException]: ERF12-1764 [ProxyAPI::ProxyException]:Unable to fetch logs (Errno:ECONNREFUSED]:Failed to open TCP connection to capsule.example.com:9090 (Connection refused connect (2) for "capsule.example.com" port 9090) for Capsule https://capsule.example.com:9090/logs)

Resolution

  • Verify that Custom SSL CA certificate is in PEM and not in DER or P7B format.

  • Try to open DER or P7B encoded certificate file certificate_ca.der in PEM format with below command, which failed with given error:

       # openssl x509 -in  certificate_ca.der -text -noout
unable to load certificate
   140287905568672:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

  • The Red Hat Satellite and Red Hat Satellite Capsule requires certificates in PEM format, if the above command is failing to open certificate then it is required to covert certificates in PEM format, for that below commands can be used,

    • To convert DER to PEM use,

       # openssl x509 -inform der -in certificate.cer -out certificate.pem

    • To convert P7B to PEM use,

       # openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
  • If the error message is regarding TCP Connection, then ensure satellite can reach capsule on port 9090. All the ports mentioned in below document should be allowed in firewall

What ports need to be opened in the firewall for Satellite 6 services?

  • Check if the capsule is up and all the services are running . To ensure the configurations are correct , we can run : 
# satellite-installer --scenario capsule

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

  • Custom SSL certificate CA chain in DER or P7B format.
  • Capsule is not listening on port 9090

Diagnostic Steps

  • SSL communication to in-build Red Hat Satellite Capsule server fails with below error:-

       # curl --cert /etc/foreman/client_cert.pem --key /etc/foreman/client_key.pem --cacert /etc/foreman/proxy_ca.pem https://satellite.example.com:9090/features

   curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

   curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.

  • The log file /var/log/foreman-proxy/proxy.log on Satellite reports:

     OpenSSL::SSL:SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca

  • netstat should report all the required ports as below in capsule 

# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1611/sshd
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      5384/postmaster
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1477/master
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      5980/ruby
tcp        0      0 0.0.0.0:9090            0.0.0.0:*               LISTEN      5980/ruby
tcp        0      0 127.0.0.1:38535         0.0.0.0:*               LISTEN      7927/ir_agent
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      5366/redis-server 1
tcp        0      0 0.0.0.0:5647            0.0.0.0:*               LISTEN      31561/qdrouterd
tcp6       0      0 :::8443                 :::*                    LISTEN      1001/httpd
tcp6       0      0 :::443                  :::*                    LISTEN      1001/httpd
tcp6       0      0 :::8000                 :::*                    LISTEN      5980/ruby
tcp6       0      0 :::9090                 :::*                    LISTEN      5980/ruby
tcp6       0      0 :::8140                 :::*                    LISTEN      5497/java
tcp6       0      0 :::5647                 :::*                    LISTEN      31561/qdrouterd
tcp6       0      0 :::80                   :::*                    LISTEN      1001/httpd
udp        0      0 0.0.0.0:31400           0.0.0.0:*                           7927/ir_agent
udp        0      0 0.0.0.0:68              0.0.0.0:*                           838/dhclient
udp        0      0 127.0.0.1:323           0.0.0.0:*                           683/chronyd
udp        0      0 0.0.0.0:36220           0.0.0.0:*                           26475/local
udp6       0      0 ::1:323                 :::*                                683/chronyd
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.