Custom Repository sync fails with an error 'RPM1004: Error retrieving metadata: A connection error occurred' on Satellite 6 server.

Solution Verified - Updated

Environment

  • Red Hat Satellite 6.x

Issue

  • Red Hat repositories are syncing with no error but repository from a Custom product which are SSL based are failing.

  • While trying to sync Third-party repositories on Red Hat Satellite, it fails with RPM1004: Error retrieving metadata: A connection error occurred.

     2021-10-13T21:07:03 [E|bac|] RPM1004: Error retrieving metadata: A connection error occurred (Katello::Errors::PulpError)

  • Repository sync for a Custom product based on SSL and certificates signed by DST Root CA X3 fails with the error given below:

        Oct 13 21:06:45 satellite pulp: nectar.downloaders.threaded:ERROR: Skipping requests to customrepo.example.com due to repeated connection failures: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

  • Below error has been observed in the Red Hat Satellite GUI -> Monitor -> Tasks -> Sync task: 

     RPM1004: Error retrieving metadata: A connection error occurred
 "error"=>
  {"code"=>"RPM1004",
   "data"=>{"reason"=>"A connection error occurred"},
   "description"=>"Error retrieving metadata: A connection error occurred",

Resolution

  • Update the ca-certificates package on a Red Hat Satellite server and remove the DST Root CA X3 certificates from Trust-Store. by following below steps. 

        # yum --disableplugin=foreman-protector update ca-certificates

    # cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem  /root/

    # perl -e 'while(<>){last if $_ =~ m/DST Root CA X3/;}print $_;while(<>){last if length($_)==1;print $_}' </etc/pki/tls/certs/ca-bundle.crt > /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem

    # update-ca-trust extract

  • Start syncing Custom repository again through Red Hat Satellite webUI and check the progress.

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

  • Validity of root Certificate Authority (CA) certificate with CN = DST Root CA X3 will be expire soon or already expired.
  • Refer to the article, which describes the issue in more detail.

Diagnostic Steps

  • To find out the server certificate validity use below curl command with complete path of Custom repository. 

     # curl -v https://customrepo.example.com/pub/repos/yum/redhat/rhel-8-x86_64/repodata/repomd.xml
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.