Clients are unable to connect with the Red Hat Satellite 6 server due to recent expired AddTrust Root CA certificates.

Solution Verified - Updated

Environment

  • Red Hat Satellite 6

Issue

  • Running any subscription-manager or yum command on content hosts registered with Red Hat Satellite fails with following error:

      [Errno 14] curl#58 - "SSL peer rejected your certificate as expired.
  or
 Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

  • Hammer command on Satellite fails with following error:

       Make sure you configured the correct URL and have the server's CA certificate installed on your system.

   The following configuration option were used for the SSL connection:
     ssl_ca_file = /etc/pki/katello/certs/katello-server-ca.crt

   Make sure the location contains an unexpired and valid CA certificate for https://satellite.example.com

  • Login into Satellite or performing any operation in Satellite (like creating a new Subnet) fails with following error:

     SSL certificate verification failed
 Make sure you configured the correct URL and have the server's CA certificate installed on your system.
The following configuration option were used for the SSL connection:
 ssl_ca_file = /etc/pki/katello/certs/katello-server-ca.crt

  • How to update or replace old expired certificates on Satellite 6?

  • Is there any way to check the expired Certificate Authority(CA) certificates in satellite 6?

Resolution

  • In this scenario, you need to contact your Certificate Authority (CA) and get the new CA Bundle for the Satellite server.
    NOTE: All the certificates including the CA bundle must be in the .pem format as per standard Red Hat Satellite Documentation.

  • Once you have all the required certificates please validate the custom SSL certificate input files using the following command.

     # katello-certs-check \
 -c /root/satellite_cert/satellite_cert.pem \      
 -k /root/satellite_cert/satellite_cert_key.pem \  
 -b /root/satellite_cert/NEW-CA_cert_bundle.pem

    Note:- Replace certificates and path in the above command with new certificates and correct path.

  • The above command returns satellite-installer commands, which is used to deploy the new Intermediate and ROOT CA certificates on the Satellite server.

    • Below is an example command to update the CA-bundle on a Satellite: 

       # satellite-installer --scenario satellite \
 --certs-server-cert /root/sat_cert/satellite_cert.pem \
 --certs-server-key /root/sat_cert/satellite_cert_key.pem \
 --certs-server-ca-cert /root/sat_cert/NEW-CA_cert_bundle.pem \
 --certs-update-server --certs-update-server-ca

  • After updating the Satellite Server to use the new custom CA SSL certificate, re-install the katello-ca-consumer package on every Content Host that is registered to the Satellite Server.

    • Steps to be followed on Content host :

             # yum remove 'katello-ca-consumer*'
       # curl --insecure --output katello-ca-consumer-latest.noarch.rpm https://satellite-fqdn/pub/katello-ca-consumer-latest.noarch.rpm
       # yum localinstall katello-ca-consumer-latest.noarch.rpm

       OR

       # yum remove 'katello-ca-consumer*'
       # yum localinstall  http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm

  • For more KB articles/solutions related to Red Hat Satellite 6.x Client Subscription Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Client Subscription Issues

  • For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

  • The Sectigo trust certificates expired on May 30th and this has affected communication with all Satellite clients using these expired certificates. The Satellite needs to have its current certificates updated with the new trust certificates from Sectigo.

Diagnostic Steps

  • Check the validity of Custom/External SSL certificates installed on a Client that is registered to Satellite 6 and check for End Date parameter 

     # rct cat-cert /etc/rhsm/ca/katello-server-ca.pem

  • Check the Custom aka Third-party SSL certificates Location and path on the Satellite server configuration:

       # cat /etc/foreman-installer/scenarios.d/satellite-answers.yaml |grep -iE 'server_key|server_cert_req|server_ca_cert|server_cert'  

     server_cert: /root/sat_cert/satellite_cert.pem
     server_key: /root/sat_cert/satellite_cert_key.pem
     server_cert_req: 
     server_ca_cert:  /root/sat_cert/ca_cert_bundle.pem

    • Using the above output, check the validity of Custom/External SSL certificates installed on the Satellite 6 server with the help of the below command.

        # openssl crl2pkcs7 -nocrl -certfile /root/sat_cert/ca_cert_bundle.pem | openssl pkcs7 -text -print_certs |egrep '(Issuer:|Subject:|Not Before|Not After)'
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.