Certificate issue while registering the RHEL 6 content host with Red Hat Satellite 6 server.

Solution Verified - Updated 9 Feb 2022

Environment

Red Hat Satellite server 6.x
Red Hat Enterprise Linux 6.x

Issue

Getting Bad certificate error while registering the RHEL 6 host with the Red Hat Satellite 6 server.

BadCertificateException: Bad certificate at /etc/rhsm/ca/katello-server-ca.pem

Resolution

a. Create a separate copy of "katello-server-ca.crt" for RHEL 6 host under "/var/www/html/pub" on Red Hat Satellite 6 server.

# cp -pr katello-server-ca.crt rhel6_server_ca.crt

b. Manually edit the certificate file for RHEL 6 host and ensure only 64 characters are present on each line. The file should look like below

-----BEGIN CERTIFICATE-----
MIIH3TCCBcWgAwIBAgITGAAAAAKzs5uX4VXRAQAAAAAAAjANBgkqhkiG9w0BAQsF
ADA2MRowGAYDVQQKExFFYXRvbiBDb3Jwb3JhdGlvbjEYMBYGA1UEAxMPRWF0b24g
.
.
-----END CERTIFICATE-----

c. Register the RHEL 6 host with the Red Hat Satellite 6 Server using the following steps.

# rpm -Uvh http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
# curl -ks --output /etc/rhsm/ca/katello-server-ca.pem https://satelite.example.com/pub/rhel6_server_ca.crt
# update-ca-trust enable;
# cp -f /etc/rhsm/ca/katello-server-ca.pem /etc/pki/ca-trust/source/anchors/katello-server-ca.pem;   ## overwrite the existing file.           
# update-ca-trust;
# subscription-manager register --org="<org_name>" --activationkey="<ak_name>"  --force

For more KB articles/solutions related to Red Hat Satellite 6.x Client Subscription Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Client Subscription Issues

Root Cause

More than 64 characters are not allowed per line in the certificate file while registering the RHEL 6 host with the Satellite server.

Diagnostic Steps

Below error captured under the "rhsm.log" file on the affected RHEL 6 host

Traceback (most recent call last):
  File "/usr/lib64/python2.6/site-packages/subscription_manager/managercli.py", line 1113, in _do_command
    type=self.options.consumertype
  File "/usr/lib64/python2.6/site-packages/rhsmlib/services/register.py", line 80, in register
    type=type
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 966, in registerConsumer
    return self.conn.request_post(url, params)
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 693, in request_post
    return self._request("POST", method, params, headers=headers)
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 716, in _request
    info=info, headers=headers)
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 520, in _request
    self._load_ca_certificates(context)
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 488, in _load_ca_certificates
    raise BadCertificateException(cert_path)
BadCertificateException: Bad certificate at /etc/rhsm/ca/katello-server-ca.pem

Verification of "katello-server-ca.pem" fails with below error on the RHEL6 content host.

# awk -v cmd='openssl x509 -noout -subject -issuer -fingerprint -startdate -enddate' '/BEGIN/{close(cmd)};{print | cmd}' <   /etc/rhsm/ca/katello-server-ca.pem

unable to load certificate
140280500025160:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:812:
unable to load certificate

SBR

SysMgmt

Product(s)

Components

katello

Category

Configure

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.