hammer ping shows candlepin in FAIL status with error Message: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) on Red Hat Satellite

Solution Verified - Updated 14 Jan 2026

Environment

Red Hat Satellite 6

Issue

hammer ping fails with the below mentioned error:

# hammer ping
  database:
      Status:          ok
      Server Response: Duration: 0ms
  katello_agent:
      Status:          ok
      message:         0 Processed, 0 Failed
      Server Response: Duration: 0ms
  candlepin:
      Status:          FAIL
      Server Response: Message: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
  candlepin_auth:
      Status:          FAIL
      Server Response: Message: Katello::Errors::CandlepinNotRunning
  candlepin_events:
      Status:          FAIL
      message:         Not running
      Server Response: Duration: 1ms
  katello_events:
      Status:          ok
      message:         0 Processed, 0 Failed
      Server Response: Duration: 0ms
  pulp3:
      Status:          ok
      Server Response: Duration: 246ms
  pulp3_content:
      Status:          ok
      Server Response: Duration: 258ms
  foreman_tasks:
      Status:          ok
      Server Response: Duration: 3ms

Resolution

Take a backup/snapshot of the Red Hat Satellite server and run the below commands on the satellite cli.

# mv /root/ssl-build/localhost /root/ssl-build/localhost_old
# rm -f ~/candlepin_cert_bak/*
# mv /etc/candlepin/certs/truststore ~/candlepin_cert_bak/
# mv /etc/candlepin/certs/keystore  ~/candlepin_cert_bak/
# mv /etc/candlepin/certs/candlepin-ca.crt ~/candlepin_cert_bak/
# mv /etc/candlepin/certs/candlepin-ca.key ~/candlepin_cert_bak/
# rm -rf /etc/pki/katello/nssdb
# satellite-installer
# hammer ping

For more KB articles/solutions related to Red Hat Satellite 6.x Candlepin Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Candlepin Issues

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

The candlepin certificate got corrupted which is causing issues while running the hammer ping.

Diagnostic Steps

Verify hammer ping command output.

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

candlepin

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.