Configuring Red Hat Capsule 6.x with custom SSL certs fails with `Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)) for Capsule xxxxxxxx`
Environment
- Red Hat Satellite 6.12
Issue
Running the following command on Capsule server:
satellite-installer --scenario capsule --certs-tar-file "/root/capsule.example.com.tar"
--foreman-proxy-register-in-foreman "true"
--foreman-proxy-foreman-base-url "https://satellite.example.com"
--foreman-proxy-trusted-hosts "satellite.example.com"
--foreman-proxy-trusted-hosts "capsule.example.com"
--foreman-proxy-oauth-consumer-key "xxxxxx"
--foreman-proxy-oauth-consumer-secret "xxxxxx"
it fails with the following error message:
2023-12-04 15:18:19 [ERROR ] [configure] Error making POST request to Foreman at https://satellite.example.com/api/v2/smart_proxies: Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)) for Capsule https://capsule.example.com:9090/v2/features Please check the Capsule is configured and running on the host.
2023-12-04 15:18:19 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[capsule.example.com]/ensure: change from 'absent' to 'present' failed: Error making POST request to Foreman at https://satellite.example.com/api/v2/smart_proxies: Unable to communicate with the Capsule: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)) for Capsule https://capsule.example.com:9090/v2/features Please check the Capsule is configured and running on the host.
Resolution
Apply the steps in the Diagnostic Steps section of this solution. If the outcome matches:
-
Confirm that the custom certificate for the Capsule server has been created according to the procedure described in 2.6.2.1. Creating a Custom SSL Certificate for Capsule Server.
-
The expected outcome from the previous step is a CA bundle and the signed certificate, in separate files. Using these, the certificate can be deployed by following the procedure described in 2.6.2.2. Deploying a Custom SSL Certificate to Capsule Server.
For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues
Root Cause
The error encountered running the satellite-installer command indicates that the SSL certificate might not be issued for the correct domain name.
Diagnostic Steps
- On the Capsule server, examine the output from the following command, and make sure that the
Subjectline hasCN = <FQDN of the Capsule server>:
# openssl x509 -in /etc/pki/katello/certs/katello-apache.crt -text | less
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
68:8b:0c:ff:cd:a8:47:1b:e8:eb:d7:e3:ac:05:c4:2f:ec:24:30:28
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = satellite.example.com
Validity
Not Before: May 10 22:51:20 2023 GMT
Not After : Jan 17 22:51:20 2038 GMT
Subject: C = US, ST = North Carolina, O = Default Organization, OU = SomeOrgUnit, CN = capsule.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
.
.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.