Capsule installation fails on registration to Satellite with 3rd party SSL CA

Solution Verified - Updated

Environment

Red Hat Satellite 6

Issue

  • Satellite configured with custom server CA and certificates
  • Capsule installation with default certificates fails on Proxy capsule.example.org cannot be registered: Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed

Resolution

Install Capsule with custom certificates issued by the same CA that signed server certificates on Satellite. For particular procedure, follow documentation.

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

For more KB articles/solutions related to Red Hat Satellite 6.x Installation/Upgrade/Update Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Installation/Upgrade/Update Issues.

Root Cause

Satellite and Capsule certificates must have common issuer CA, otherwise either Sat or Caps does not trust the other. So when using custom certificates signed by a custom CA on Satellite, the Capsule certificates can't be the default one but custom, signed by the same CA.

Diagnostic Steps

  • installer on Capsule fails with:
[ERROR 2020-01-23T13:56:08 main]  Proxy capsule.example.org cannot be registered: Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed) for Capsule https://capsule.example.org:9090/features Please check the Capsule is configured and running on the host.
  • /var/log/foreman-proxy/proxy.log on Capsule logs at the same time:
E, [2020-01-23T13:56:08.879924 ] ERROR -- : OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca
        /usr/share/ruby/openssl/ssl.rb:280:in `accept'
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.