Katello-certs-check on Red Hat Satellite 6 fails with: satellite_cert.pem does not match the satellite_cert_key.pem

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Satellite 6
Custom SSL certs

Issue

katello-certs-check command on Satellite 6 fails with:

     Checking to see if the private key matches the certificate
     [FAIL]

     The /root/satellite_cert/satellite_cert.pem does not match the /root/satellite_cert/satellite_cert_key.pem

Resolution

Compare the md5sums :

 # openssl x509 -noout -modulus -in ca_cert_bundle.pem | openssl md5 
 # openssl rsa -noout -modulus -in satellite_cert_key.pem | openssl md5

If the md5sums dont match then its clear that the ca certificate is not signed by the same key. Then check the below md5sum and see if it matches with the ca_cert_bundle.pem. If yes, then you may use /etc/pki/katello/private/katello-apache.key instead of satellite_cert_key.pem
```
 # openssl rsa -noout -modulus -in /etc/pki/katello/private/katello-apache.key | openssl md5
```

Else, you might have to get the key back from the old backups/snapshots if you have.

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

certificates

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.