Registration on Satellite 6 fails when RHEL 8 client has FIPS with a FUTURE crypto policy enabled

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Satellite 6+
Red Hat Enterprise Linux 8

Issue

Registration with Satellite 6 fails when RHEL 8 client has FIPS with a FUTURE crypto policy enabled and has a custom SSL certificates with 2048 bit RSA key or less

Running any subscription-manager or yum command on RHEL 8 Content-Host registered with Red Hat Satellite fails with the following error:

 SSL certificate problem: EE certificate key too weak
 Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)`

Resolution

Root CA certificate as well as any Intermediate CA certificates in the bundle must be 4096-bit RSA SSL key length on the satellite.
- In this scenario, contact your Certificate Authority (CA) and get the new CA Bundle for the Satellite Server.
If the above steps were performed on your existing Red Hat Satellite then also update the katello-ca-consumer-latest.noarch.rpm package on each RHEL 8 Client registered to the Satellite.
For more KB articles/solutions related to Red Hat Satellite 6.x Client Subscription Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Client Subscription Issues

Root Cause

The FUTURE policy requires 4096-bit RSA keys. However it was set to less than 2048-bit, see Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms

Diagnostic Steps

To verify the length of the key and the certificates from the Content-Host, use the below command

 # echo | openssl s_client -connect satellite.example.com:443 2>/dev/null | openssl x509 -text -noout | grep 'Public-Key'
 OR
 # openssl crl2pkcs7 -nocrl -certfile  /etc/rhsm/ca/katello-server-ca.pem  | openssl pkcs7 -text -print_certs |grep -iE "Public-Key"

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.