Red Hat Capsule synchronization fails with the following SSL error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

Solution Verified - Updated

Environment

  • Red Hat Satellite 6
  • Red Hat Capsule 6

Issue

  • Red Hat Capsule synchronization encounters the following SSL error, leading to failure:
Oops, we're sorry but something went wrong capsule.example.com is unreachable. SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

Resolution

  • To connect to Red Hat Satellite, a proxy is needed for hosts in one network, while hosts in a different network where the Capsule server is located do not require a proxy.

  • To allow the Satellite server to access the Capsule server, add the Red Hat Capsule's hostname to the exception list to exclude it from the proxy:

      1. Navigate to the Satellite Web UI.
  2. Go to Administer -> Settings -> General -> HTTP(S) proxy.
  3. Under HTTP(S) proxy except hosts, add the Red Hat Capsule's hostname.

For more KB articles/solutions related to Red Hat Satellite 6.x Capsule Sync Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Capsule Sync Issues

Root Cause

  • This issue arises because the Red Hat Capsule server is attempting to sync through a proxy. The proxy can cause SSL verification to fail due to a self-signed certificate in the certificate chain. There are two potential proxy-related causes for this issue:

    • SSL-based Proxy:
      The proxy itself might be using SSL, which interferes with the secure connection between the Capsule and Satellite servers. This results in the SSL verification error.
    • Non-SSL Proxy Restrictions:
      The proxy might not allow SSL traffic, or it may be improperly configured to handle SSL connections, leading to the failure.

  • In both scenarios, the proxy configuration disrupts the secure communication, causing synchronization issues. To resolve this, you need to ensure that the Red Hat Capsule's hostname is added to the exception list in the Satellite Web UI to bypass the proxy for Capsule communications.

  • The "HTTP(S) proxy" setting applies a proxy for all outgoing HTTP connections from the Red Hat Satellite server. Consequently, the Red Hat Capsule also tries to connect to the Satellite server via this proxy, leading to the SSL error.

Diagnostic Steps

  • Ensure there is no mismatch in the configured SSL certificates on the Capsule server compared to those on the Satellite server., refer 2.6.2. Configuring Capsule Server with a Custom SSL Certificate.

  • When attempting to perform a sync on the Red Hat Capsule, the following error is returned:

     Oops, we're sorry but something went wrong capsule.example.com is unreachable. SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

  • The following error is observed in /var/log/foreman/production.log on the Red Hat Satellite server when a proxy configuration is added under Administer -> Settings:

      2024-05-14T09:57:19 [I|app|ae5e07a9]   Parameters: {"smart_proxy_id"=>"11-capsule.example.com", "id"=>"11-capsule.example.com"}
  2024-05-14T09:57:19 [I|app|6446bed5] Completed 200 OK in 10ms (Views: 0.3ms | ActiveRecord: 1.9ms | Allocations: 2965)
  2024-05-14T09:57:19 [I|app|557ebf50] (RestClient) Proxying request to capsule.example.com via https://proxy.example.com:8080
  2024-05-14T09:57:19 [W|app|557ebf50] capsule.example.com is unreachable. SSL_connect returned=1 errno=0 state=error: certificate 
  verify failed (self signed certificate in certificate chain)
  2024-05-14T09:57:19 [I|app|557ebf50] Backtrace for 'capsule.example.com is unreachable. SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)' error (Katello::Errors::CapsuleCannotBeReached): capsule.example.com is unreachable. SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
  557ebf50 | /usr/share/gems/gem

  • By adding the Red Hat Capsule hostname to the proxy exception list, the sync process should work correctly, bypassing the SSL error.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.