[Satellite 6] After updating SSL certificates on Satellite 6.x server and installing the new version of the katello-ca-consumer-* package on Satellite clients, the Satellite clients can no longer access the repositories on the Satellite server.

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Satellite 6.x

Issue

After updating SSL certificates on Satellite 6.x server and installing the new version of the katello-ca-consumer package on Satellite clients, the Satellite clients can no longer access the repositories on the Satellite server. The updated SSL certificates have been deployed on the Satellite server (following the directions in the Red Hat Satellite documentation) using the satellite-installer command that has been provided in the output from the following command:

# katello-certs-check \
-c /root/satellite_cert/satellite_cert.pem \
-k /root/satellite_cert/satellite_cert_key.pem \
-b /root/satellite_cert/ca_cert_bundle.pem

Where:

/root/satellite_cert/satellite_cert.pem is the path to the Satellite Server certificate file that is signed by a Certificate Authority.
/root/satellite_cert/satellite_cert_key.pem is the path to the private key that was used to sign the Satellite Server certificate.
/root/satellite_cert/ca_cert_bundle.pem is the path to the Certificate Authority bundle.

Resolution

Remove the new version of the katello-ca-consumer package from the Satellite clients.
Delete the /etc/rhsm/rhsm.conf.kat-backup file.
Re-install the new version of the katello-ca-consumer package on the Satellite clients.

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

The old katello-ca-consumer package was not removed on the Satellite clients before installing the new one. Upgrading the katello-ca-consumer package without removing the old one first causes the baseurl setting in /etc/rhsm/rhsm.conf to be reverted back to subscription.rhsm.redhat.com.
This issue has been addressed by This content is not included.BZ#1619533.

Diagnostic Steps

Check the values of the hostname and baseurl settings in /etc/rhsm/rhsm.conf. Instead of pointing to the hostname of the Satellite server and the repository on the Satellite server, the values of these 2 parameters are reverted back to the default values pointing to Red Hat's CDN:

hostname = subscription.rhsm.redhat.com
baseurl = https://cdn.redhat.com

SBR

SysMgmt

Product(s)

Red Hat Satellite

Tags

satellite_6

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.