Cannot upgrade to Satellite 6.16 when using a CA with SHA1 as Signature Algorithm

Solution Verified - Updated 30 Jun 2025

Environment

Red Hat Satellite 6.16
Red Hat Enterprise Linux 8

Issue

When upgrading to Satellite 6.16, the CA used to sign the certificates used by Satellite API cannot use SHA1 as Signature Algorithm. When such CA is used, the error below is generated during satellite-installer execution:

Content from satellite.example.com is not included.https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22

Resolution

To workaround this issue, you will need new custom certificates signed by a CA that don't use SHA1. See How to setup Red Hat Satellite 6 with custom SSL certificates or renew existing? for details about how to deploy custom certificates on your Satellite.
For default Katello certificate users regenerate CA certificates. See How to generate a new internal CA for my Satellite server

For more KB articles/solutions related to Red Hat Satellite 6.x Installation/Upgrade/Update Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Installation/Upgrade/Update Issues.

Root Cause

puppet-agent-8.8.1 (used by satellite-installer) has a built-in curl binary that requires a digest algorithm stronger than SHA1. See This content is not included.Satellite 6.16 fails with CA signature digest algorithm too weak regardless of crypto-policy

Diagnostic Steps

Check if the katello-server-ca.pem file contains any CA with sha1:

awk -v cmd='openssl x509 -noout -text 2> /dev/null' ' /BEGIN/{close(cmd)};{print | cmd}' /root/ssl-build/katello-server-ca.crt |grep 'Signature Algorithm'
        Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption                          <==== see if any lines from the output 
contain sha1

Default Katello certificate

openssl crl2pkcs7 -nocrl -certfile /etc/foreman-proxy/foreman_ssl_ca.pem   | openssl pkcs7 -text -print_certs |egrep '(Issuer:|Subject:|CA:|DNS:|Digital|Not Before|Not After|TLS|Signature Algorithm)'      
     Signature Algorithm: sha1WithRSAEncryption
     Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=satellite.example.com           <==== 
         Not Before: May 25 17:06:27 2016 GMT
         Not After : Jan 17 17:06:27 2038 GMT
     Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=satellite.example.com
             CA:TRUE
             Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
             TLS Web Server Authentication, TLS Web Client Authentication
 Signature Algorithm: sha1WithRSAEncryption                        <====

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

installer

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.