When subscribing host, receive error Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Satellite 6
Red Hat Enterprise Linux

Issue

When trying to subscribe a host to Satellite 6, registration fails with the following error.

`Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)`

Resolution

Add the hostname of the Satellite into the "no_proxy" parameter of /etc/rhsm/rhsm.conf allows connections to the Satellite server without proxy interference. Here's an example of what that line should look like:
```
`no_proxy = satellite.example.com`
```

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

A proxy server between the Satellite server and the host altered the issuer of the CA certificate, causing the certificate to become invalid.

Diagnostic Steps

Run this command (where "user" is the username required by your proxy server, if any; "password" is the password for that username, "proxyhost" is the hostname of your proxy server, "port" is the port required to use your proxy server, and "satellite.example.com" is replaced by the fully qualified domain name of your Satellite server):
```
# curl -vk -x https://user:password@proxyhost:port https://satellite.example.com
```
Look at the server certificate section of the output. Then run these commands:
```
    # http_proxy=''

    # https_proxy=''

    # curl -vk https://satellite.example.com
```
Once again, look at the server certificate section of the output. If that section changes between the two curl outputs (one that uses the proxy server and one that doesn't), then you're dealing with the issue covered by this article.

Note: While many Satellite installations use the Red Hat certificates, some use custom certificates. This is why we cannot assume that the correct certificates will be Red Hat-issued.

SBR

SysMgmt

Product(s)

Components

subscription-manager

Category

Troubleshoot

Tags

proxy

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.