Certificate Verify Failed (Hostname Mismatch) Error During CA-Signed SSL Certificate Installation in Red Hat Satellite and Capsule 6

Solution Verified - Updated

Environment

  • Red Hat Satellite 6
  • Red Hat Capsule 6

Issue

  • How to Troubleshoot Hostname Mismatch SSL Certificate Verification Error in Red Hat Satellite 6?

  • Why is SSL_connect Returning certificate verify failed with unable to get local issuer certificate on Capsule in Red Hat Satellite 6?

  • What Could be the Cause of the certificate verify failed Error for Capsule Server in Red Hat Satellite 6?

  • How to Handle certificate verify failed and Hostname Mismatch?

  • Capsule Connectivity Issues in Red Hat Satellite 6 with certificate verify failed and SSL_connect returned=1 errno=0 state=error' Errors. 

     2023-10-26T09:09:03 [I|app|f207c97f] Backtrace for 'Action failed' error (ProxyAPI::ProxyException): ERF12-9411 [ProxyAPI::ProxyException]: Unable to fetch public key ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)) for Capsule https://capsule.example.com:9090/ssh

Resolution

  • An unexpected space character after the hostname in the Subject Alternative Name (SAN) field. Such inconsistencies can lead to hostname verification issues during the SSL handshake process, resulting in errors related to hostname mismatches.

  • Execute the following commands to extract and print the relevant certificate information from the Red Hat satellite or Capsule on which facing the error.

     $ openssl crl2pkcs7 -nocrl -certfile /etc/foreman-proxy/ssl_cert.pem | openssl pkcs7 -text -print_certs | egrep '(Issuer:|Subject:|CA:|DNS:|Digital|Not Before|Not After|keyid|serial:|TLS|RSA Public-Key:|Signature Algorithm:|Public Key Algorithm:|Public-Key:)' | sed 's/$/$/'

    • Verify the DNS entry for the subject's Common Name (CN) in the output. Note that the presence of an extra space character after the hostname in the DNS field could lead to hostname verification issues.

    • To resolve this, it's necessary to regenerate the server certificates. Ensure that the capsule-cert-generate action is performed on the Red Hat satellite, followed by running the installer on the Red Hat capsule.

    • After completing the certificate regeneration and installation, re-run the commands to validate that the DNS entry no longer contains any additional spaces or characters that could lead to hostname mismatch errors.

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

  • To ensure the hostname verification for your Red Hat Satellite or Capsule certificate, add the fully qualified domain name (FQDN) to the Subject Alternative Name (SAN) section of Red Hat Satellite and Capsule server certificate. Although the Common Name (CN) of the certificate matches the Red Hat Satellite and Capsule's FQDN, this is no longer used for hostname verification. Therefore, including the FQDN in the SAN of the Satellite and Capsule server certificate is imperative for proper verification.

Diagnostic Steps

  • To check the Subject Alternative Names (SANs) within the specified X.509 certificate file, you can use the following command. 

     # openssl x509 -noout -text -in /etc/foreman-proxy/ssl_cert.pem | cat -At | grep DNS
    • This command extracts DNS names from the certificate's Subject Alternative Name field, and the cat -At option displays non-printing characters with a visible representation.
SBR
Product(s)
Components
Category

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.