Unable to enable Red Hat repositories on the Satellite

Solution Verified - Updated

Environment

  • Red Hat Satellite 6

Issue

  • Getting the following message while trying to enable repositories in the Satellite Web UI -> Content -> Red Hat Repositories page.
No repositories available

Resolution

  • To test connect to the Red Hat CDN using TLSv1.0, run the following foreman-rake console script on the Satellite.
cat << EOF | foreman-rake console
module CdnResourceDebug
  def http_downloader
    net = super
    net.ssl_version = "TLSv1"
    net.set_debug_output(STDOUT)
    net
  end
end
Katello::Resources::CDN::CdnResource.prepend(CdnResourceDebug)
product = Katello::Product.find_by_cp_id("479")
cdn_config = Katello::CdnConfiguration.where(organization: Organization.find(1)).first
cdn_resource = Katello::Resources::CDN::CdnResource.create(product: product, cdn_configuration: cdn_config)
cdn_resource.get("/content/dist/rhel8/listing")
  • To test connect to the Red Hat CDN using the latest supported TLS version (currently is TLSv1.3), run the following foreman-rake console script on the Satellite.
cat << EOF | foreman-rake console
module CdnResourceDebug
  def http_downloader
    net = super
    net.ssl_version = "SSLv23"
    net.set_debug_output(STDOUT)
    net
  end
end
Katello::Resources::CDN::CdnResource.prepend(CdnResourceDebug)
product = Katello::Product.find_by_cp_id("479")
cdn_config = Katello::CdnConfiguration.where(organization: Organization.find(1)).first
cdn_resource = Katello::Resources::CDN::CdnResource.create(product: product, cdn_configuration: cdn_config)
cdn_resource.get("/content/dist/rhel8/listing")
EOF
  • If the first script fails with SSL connection error like below:
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: internal error)
  • But the second script returns an expected results like below:
"8\n8.0\n8.1\n8.2\n8.3\n8.4\n8.5\n8.6\n8.7\n8.8\n"
  • Then run the following hammer command to set the cdn_ssl_version as SSLv23. This will tell Satellite to use the highest TLS version supported by both the Satellite and the Red Hat CDN.
hammer settings set --name "cdn_ssl_version" --value "SSLv23"
  • After that, try to enable any Red Hat repository.

Root Cause

  • Satellite uses TLSv1.0 to connect to the Red Hat CDN by default. Your network or HTTP proxy might not allow connection with older TLS versions.

Diagnostic Steps

  • Found the following error message in /var/log/foreman/production.log file.
[I|app|] CDN: Requesting path https://cdn.redhat.com:443/content/dist/rhel8/listing <https://cdn.redhat.com:443/content/dist/rhel8/listing>
[E|app|xxxxxxx] Failed at scanning for repository: SSL_connect returned=1 errno=0 state=error: internal error
SBR
Product(s)
Components
Category

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.