Remote execution job fails with error "Failed to initialize: RuntimeError - The only applicable proxy capsule.example.com is down" in Red Hat satellite 6

Solution Verified - Updated 28 Apr 2025

Environment

Red Hat Satellite 6

Issue

Executing any remote job using Red Hat Satellite 6 fails with the following error:

"Failed to initialize: RuntimeError - The only applicable proxy capsule.example.com is down"

Resolution

Refer to the Diagnostic steps section to verify whether the custom SSL certificate has expired.
```
-  Renew the custom SSL certificate in the `Red Hat Satellite 6`  if it is expired,
```

by following the steps outlined in the article How to setup Red Hat Satellite 6 with custom SSL certificates or renew existing?

  -  If the remote execution job fails after renewing or updating the custom SSL certificate, refer to the article [Remote job execution fails after updating Custom SSL certificate on External Red Hat Satellite Capsule server](https://access.redhat.com/solutions/6312411).

Reach out to the This content is not included.Red Hat Technical Support , if any further assistance is required.
For more KB articles/solutions related to Red Hat Satellite 6.x Remote Execution Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Remote Execution Issues

Root Cause

The custom SSL server certificate in Red Hat Satellite 6 has expired.

Diagnostic Steps

The following error is observed in the /var/log/foreman/production.log file:

 ...
2025-02-25T10:31:29 [I|bac|0e297b8e] Task {label: , execution_plan_id: 5699999-000f-4444-88f0-b6d0559d2f9a} state changed: pending
2025-02-25T10:31:29 [I|bac|0e297b8e] Task {label: Actions::RemoteExecution::RunHostJob, id: b6c83d9a-d000-4444-a9ed-7f985d0aaaa, execution_plan_id:5699999-000f-4444-88f0-b6d0559d2f9a} state changed: planning
...
2025-02-25T10:31:29 [W|app|0e297b8e] Could not fetch task counts from capsule.example.com, skipped.
2025-02-25T10:31:29 [I|app|0e297b8e] Backtrace for 'Could not fetch task counts from capsule.example.com, skipped.' error (RestClient::SSLCertificateNotVerified): SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)  0e297b8e | /usr/share/gems/gems/rest-client-2.1.0/lib/restclient/request.rb:776:in `rescue in transmit'     
...
2025-02-25T10:31:29 [E|bac|0e297b8e] The only applicable proxy capsule.example.com is down (RuntimeError)

In this scenario, the custom SSL server certificate is expired as shown below:

 # openssl crl2pkcs7 -nocrl -certfile  /etc/foreman-proxy/ssl_cert.pem  | openssl pkcs7 -text -print_certs |egrep '(Issuer:|Subject:|CA:|DNS:|Digital|Not Before|Not After)'
Issuer: C=US, ST=North , O=Katello, OU=SomeOrgUnit, CN=capsule.example.com
        Not Before: Feb 23 08:39:11 2022 GMT
        Not After : Feb 22 08:39:11 2025 GMT         <<<== SSL certs expiry
    Subject: C=US, ST=North , O=FOREMAN, OU=SMART_PROXY, CN=capsule.example.com
            CA:FALSE
            Digital Signature, Key Encipherment
            DNS:capsule.example.com

To validate the expiry date of Apache and CA certificate the following commands can be used:

   #  openssl crl2pkcs7 -nocrl -certfile /etc/pki/katello/certs/katello-apache.crt  | openssl pkcs7 -text -print_certs |egrep '(Issuer:|Subjec|Not Before|Not After)'
        Issuer: C=US, ST=North , O=Katello, OU=SomeOrgUnit, CN=capsule.example.com
            Not Before: Feb 23 08:39:11 2022 GMT                 <<<== Start Date
            Not After : Feb 22 08:39:11 2025 GMT                 <<<== End Date
        Subject: C=US, ST=North , O=Katello, OU=SomeOrgUnit, CN=capsule.example.com
        Subject Public Key Info:
            X509v3 Subject Key Identifier: 
            X509v3 Subject Alternative Name: 

  # openssl crl2pkcs7 -nocrl -certfile  /etc/foreman-proxy/foreman_ssl_ca.pem  |  openssl pkcs7 -text -print_certs| egrep '(Issuer:|Subject:|CA:|DNS:|Digital|Not Before|Not After)'
        Issuer: C=US, ST=North , O=Katello, OU=SomeOrgUnit, CN=capsule.example.com
            Not Before: Feb 26 13:02:20 2018 GMT               <<<== Start Date              
            Not After : Feb 26 13:12:20 2028 GMT               <<<== End Date        
        Subject: C=US, ST=North , O=Katello, OU=SomeOrgUnit, CN=capsule.example.com
                CA:TRUE
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
                TLS Web Server Authentication, TLS Web Client Authentication

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

Category

Troubleshoot

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.