Upgrade to Red Hat Satellite Capsule fails with message ERF12-9411 ProxyException Unable to fetch public key.

Solution Verified - Updated 3 Dec 2024

Environment

Red Hat Satellite 6
Red Hat Satellite Capsule 6

Issue

Error to communicate with Capsule

Content from capsule.example.com is not included.https://capsule.example.com:9090/ssh

Resolution

No custom certificates in use

Make sure /root/ssl-build directory is not deleted on satellite.
Verify that Satellite and Capsule server are on the same version.

Generate a new Capsule certificate on Red Hat Satellite as follows:

  [root@satellite ~]# capsule-certs-generate --foreman-proxy-fqdn capsule.example.com \
  --certs-tar capsule.example.com-certs.tar --certs-update-all

Copy the archive file to the Red Hat Satellite Capsule.
Re-run the satellite-installer on the Red Hat Satellite Capsule.

Custom certificates are used:

Custom certificates for Capsules must contain their hostname and can contain other aliases too. But their hostname is mandatory.
- Obtain a new certificate that includes capsule.example.com from Authority that provide it
- Recreate the Capsule certificate tarball and redeploy it. It's possible follow the below KCS and select the correct Satellite or Capsule version is in use.
  - How to setup Red Hat Satellite 6 with custom SSL certificates or renew existing?

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

For more KB articles/solutions related to Red Hat Satellite 6.x Installation/Upgrade/Update Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Installation/Upgrade/Update Issues.

Reach out to the This content is not included.Red Hat Technical Support in case any further assistance would be required.

Root Cause

The problem of the Capsule is the certificate that was deployed at it. It does not contain the Capsule hostname on it, only an alias

Diagnostic Steps

Check /var/log/foreman-installer/capsule.log Capsule upgrade receive error during performed Custom SSL cert update

Content from satellite.example.com is not included.https://satellite.example.com/api/v2/smart_proxies/7/refresh:%20Response:%20500%20Internalog/foreman/production.loges/7/refresh ```

Output about below command doesn't show the correct Capsule DNS

$ openssl x509 -noout -text -in etc/foreman-proxy/ssl_cert.pem |grep DNS
            DNS:capsule2.example2.com <============== THIS SHOULD BE capsule.example.com

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

certificates

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.