Capsule server not syncing content with Satellite

Solution Verified - Updated 14 Jun 2024

Environment

Satellite 6
Capsule 6

Issue

Capsule server is not syncing with Satellite and generating the following error messages:

goferd: [WARNING][pulp.agent] gofer.messaging.adapter.proton.reliability:54 - Connection amqps:/satellite:5647 disconnected: Condition('amqp:connection:framing-error', 'SSL Failure: Unknown error')

pulp: pulp.server.db.connection:INFO: Attempting to connect to localhost:27017
goferd: [ERROR][MainThread] katello.agent.goferd.plugin:206 - HTTP error (401 - Unauthorized): Invalid credentials.
goferd: [ERROR][MainThread] katello.agent.goferd.plugin:206 - Traceback (most recent call last):
goferd: [ERROR][MainThread] katello.agent.goferd.plugin:206 -   File "/usr/lib/python2.7/site-packages/katello/agent/goferd/plugin.py", line 197, in validate_registration
goferd: [ERROR][MainThread] katello.agent.goferd.plugin:206 -     consumer = uep.getConsumer(consumer_id)

Resolution

Run the following commands on the Satellite to check certificate exchange with the Capsule server:

# curl -v https://capsulerserver FDQN/pulp/api/v2/status/ | python -m json.tool  
# curl --cert /etc/foreman/client_cert.pem --key /etc/foreman/client_key.pem --cacert /etc/foreman/proxy_ca.pem https://capsule server FDQN:9090/features | python -m json.tool

For more KB articles/solutions related to Red Hat Satellite 6.x Capsule Sync Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Capsule Sync Issues

Root Cause

A firewall or proxy, which is located between the Satellite and Capsule servers, is making a certificate modification during the certification validation process. It needs to be checked and corrected.

Diagnostic Steps

If the firewall is making changes, then the curl command result will show the following. This example shows the Cisco firewall generated its certificate which resulted in SEC_ERROR_CA_CERT_INVALID error:

Server certificate:
*       subject: CN=ASA Temporary Self Signed Certificate
*       start date: Nov 16 16:49:53 2019 GMT
*       expire date: Nov 13 16:49:53 2029 GMT
*       common name: ASA Temporary Self Signed Certificate
*       issuer: CN=ASA Temporary Self Signed Certificate
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)

SBR

SysMgmt

Product(s)

Red Hat Satellite

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.