SSL certificate verification error when syncing custom repositories in Red Hat Satellite 6

Solution Verified - Updated 10 Mar 2025

Environment

Red Hat Satellite 6

Issue

The custom repository sync from the Red Hat Satellite server fails with the error below.

  Cannot connect to host dl.fedoraproject.org:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')]

Resolution

To resolve this issue there are multiple solutions:
- Whitelist the Custom URL: Ensure the repository URL (dl.fedoraproject.org) is whitelisted in the network proxy or firewall.
- Trust the proxy Certificate Authority by adding it to the Satellite's trusted CA sources.
```
cp /path/to/new_certificate_authority.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust
```
- Disable SSL verification for the affected repository to allow the sync to complete successfully.
```
- Navigate to **Satellite GUI > Content > Products**.  
- Select the custom product containing the repository.  
- Go to the **Custom Repository > Sync Settings**.  
- Set **Verify SSL** to **No**, and save the settings.  
```

Note:
- As SSL inspection could be a resource high demanding task recommended approach is to disable SSL inspection by whitelistening the endpoint URLs or Domains. As long as it was a confiable Endpoint.
- As the proxy exposed certificate is expected to be issued by a trusted CA, second preferred approach is to add this CA to the trusted ones.
- Disabling SSL verification allows the synchronization process to bypass certificate validation for the upstream repository. As a result, the sync will proceed even if the SSL certificate is invalid, self-signed, or issued by an untrusted Certificate Authority (CA). Use this workaround cautiously, as it may expose the system to potential security risks.

For more KB articles/solutions related to Red Hat Satellite 6.x Repository Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Repository Issues.

Root Cause

The Satellite Server relies on SSL to securely communicate with the custom repository URL. If an SSL interception proxy is in use, it disrupts this secure communication.
The error indicates that HTTPS/SSL inspection or blocking at the local network level is interfering with the synchronization process.

Diagnostic Steps

The following error can be found in the /var/log/foreman/production.log.

    [E|bac|f7143102] Cannot connect to host xx.example.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')] (Katello::Errors::Pulp3Error)
f7143102 | /usr/share/gems/gems/katello-4.11.0.16/app/lib/actions/pulp3/abstract_async_task.rb:108:in `block in check_for_errors'
f7143102 | /usr/share/gems/gems/katello-4.11.0.16/app/lib/actions/pulp3/abstract_async_task.rb:106:in `each'

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

foreman
pulp

Category

Troubleshoot

Tags

satellite_6

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.