Red Hat Satellite Capsule 6 status shows as "error certificate verify failed (unable to get local issuer certificate)" on webUI

Solution Verified - Updated

Environment

  • Red Hat Satellite 6.x
  • Red Hat Capsule 6.x

Issue

  • Red Hat Capsule 6 status shows certificate error in Red Hat Satellite Web UI under Infrastructure >> Capsules >> Capsule Name:

    SSL_connect returned=1 error=0 state=error: certificate verify failed (unable to get local issuer certificate)

  • Installer fails on Red Hat Capsule with the below error, How to fix it? 

     [ERROR 2022-05-10T10:54:55 main]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[capsule.example.com]/ensure: change from 'absent' to 'present' failed: Proxy capsule.example.com cannot be registered: Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([Net::HTTPServerException]: 403 "Tunnel or SSL Forbidden") for Capsule https://capsule.example.com:9090/v2/features Please check the Capsule is configured and running on the host. 

        2022-06-02 10:04:31 [ERROR ] [configure] /Stage[main]/Pulp::Database/Exec[migrate_pulp_db]/returns: change from 'notrun' to ['0'] failed: 'pulp-manage-db' returned 70 instead of one of [0]

    2022-06-02 10:05:33 [ERROR ] [configure] Proxy capsule.example.com cannot be registered: Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::Exceptions::ReadTimeout]: Timed out reading data from server) for Capsule https://capsule.example.com:9090/v2/features Please check the Capsule is configured and running on the host.
    2022-06-02 10:05:33 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[capsule.example.com]/ensure: change from 'absent' to 'present' failed: Proxy capsule.example.com cannot be registered: Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::Exceptions::ReadTimeout]: Timed out reading data from server) for Capsule https://capsule.example.com9090/v2/features Please check the Capsule is configured and running on the host.

  • Updating External CA-signed SSL certificates on Red Hat Capsule fails on the below error. 

     2022-05-04 13:41:14 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[capsule.example.com]: Error making PUT request to https://capsule.example.com/api/v2/smart_proxies/2/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on capsule.example.com for detailed information

Resolution

  • To get the correct status of the Red Hat Capsule server on Red Hat Satellite remove proxy entry from the below settings .

    • From Red Hat Satellite 6 Web UI page :

       Login to Red Hat Satellite WebUI navigate to Administer >> Settings >> General >> Remove proxy entry for HTTP(S) proxy

    • From Hammer command :

              # hammer settings set --name http_proxy --value "" 

        OR 

        # hammer settings set --name=http_proxy_except_list --value=[capsule.example.com] 
        # satellite-maintain service restart

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Reach out to the This content is not included.Red Hat Technical Support in case any further assistance would be required.

Root Cause

  • The setting "HTTP(S) proxy" sets a proxy for all outgoing HTTP connections from the Red Hat Satellite server.
  • Hence if proxy is not required for Red Hat Satellite to Red Hat Capsule communication then this setting should not be set.

Diagnostic Steps

  • Below errors can be fetched from /var/log/foreman/production.log :

    2020-07-09T03:17:22 [E|app|] Error performing CreatePulpDiskSpaceNotifications (Job ID: <Job-id>) from Dynflow(default) in     620.38ms: Foreman::WrappedException (ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]:     ERF12-3580 [ProxyAPI::ProxyException]: Unable to detect pulp storage ([Net::HTTPServerException]: 403 "Forbidden") for Capsule     https://<Capsule-FQDN>:9090/pulpnode/status/disk_usage)):

  • Below error from Red Hat Satellite server observed in/var/log/foreman/production.log , when Administer >> Settings has proxy configuration added. 

        2022-05-09T20:01:52 [I|app|ffc960a1] (RestClient) Proxying request to capsule.example.com via http://webproxy.example.com:3128
    2022-05-09T20:01:52 [W|app|ffc960a1] 403 Forbidden

    OR

    2020-06-23T11:26:09 [I|app|20fda2ff] Started POST "/api/v2/smart_proxies" for 10.20.30.40 at 2020-06-23 11:26:09 +0200
    2020-06-23T11:26:09 [I|app|20fda2ff] Processing by Api::V2::SmartProxiesController#create as JSON
    2020-06-23T11:26:09 [I|app|20fda2ff]   Parameters: {"smart_proxy"=>{"name"=>"capsule.example.com", "url"=>"https://capsule.example.com:9090"}, "apiv"=>"v2"}
    2020-06-23T11:26:09 [I|app|20fda2ff] Authorized user foreman_api_admin(API Admin)
    2020-06-23T11:26:09 [I|app|20fda2ff] (RestClient) Proxying request to capsule.example.com via https://webproxy.example.com:3128
    2020-06-23T11:26:09 [E|app|20fda2ff] Unprocessable entity SmartProxy (id: new):
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.