How can I update NSSDB certificate for Satellite 6?

Latest response

I had to change hostname and IP of Red Hat Satellite 6 (/etc/hosts and /etc/hostname), but when I exec Katello Installer to update certificates the NSSDB stops with the following error:

# katello-installer  --certs-update-all
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud-apache for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud-foreman-proxy for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud-qpid-router-server for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud-qpid-router-client for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud-foreman-client for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud-apache for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud-qpid-client-cert for update
Marking certificate /root/ssl-build/satellite.cloud/gutterball-certs for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud-puppet-client for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud-qpid-broker for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud-parent-cert for update
Marking certificate /root/ssl-build/satellite.cloud/java-client for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud.mte-foreman-proxy for update
Marking certificate /root/ssl-build/satellite.cloud/satellite.cloud.mte-foreman-proxy-client for update
Marking certificate /root/ssl-build/katello-server-ca for update
 /Stage[main]/Certs::Candlepin/Exec[candlepin-add-client-cert-to-nss-db]: Failed to call refresh: certutil -A -d '/etc/pki/katello/nssdb' -n 'amqp-client' -t ',,' -a -i '/etc/pki/katello/certs/java-client.crt' returned 255 instead of one of [0]
 /Stage[main]/Certs::Candlepin/Exec[candlepin-add-client-cert-to-nss-db]: certutil -A -d '/etc/pki/katello/nssdb' -n 'amqp-client' -t ',,' -a -i '/etc/pki/katello/certs/java-client.crt' returned 255 instead of one of [0]

Katello installer log:

# tail -n 1000 /var/log/katello-installer/katello-installer.log |grep ERROR
[ WARN 2016-02-09 02:42:33 main]  /Stage[main]/Certs::Candlepin/Exec[candlepin-add-client-cert-to-nss-db]/returns: certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.
[ERROR 2016-02-09 02:42:33 main]  /Stage[main]/Certs::Candlepin/Exec[candlepin-add-client-cert-to-nss-db]: Failed to call refresh: certutil -A -d '/etc/pki/katello/nssdb' -n 'amqp-client' -t ',,' -a -i '/etc/pki/katello/certs/java-client.crt' returned 255 instead of one of [0]
[ERROR 2016-02-09 02:42:33 main]  /Stage[main]/Certs::Candlepin/Exec[candlepin-add-client-cert-to-nss-db]: certutil -A -d '/etc/pki/katello/nssdb' -n 'amqp-client' -t ',,' -a -i '/etc/pki/katello/certs/java-client.crt' returned 255 instead of one of [0]
[ERROR 2016-02-09 02:47:17 main] Repeating errors encountered during run:
[ERROR 2016-02-09 02:47:17 main]  /Stage[main]/Certs::Candlepin/Exec[candlepin-add-client-cert-to-nss-db]: Failed to call refresh: certutil -A -d '/etc/pki/katello/nssdb' -n 'amqp-client' -t ',,' -a -i '/etc/pki/katello/certs/java-client.crt' returned 255 instead of one of [0]
[ERROR 2016-02-09 02:47:17 main]  /Stage[main]/Certs::Candlepin/Exec[candlepin-add-client-cert-to-nss-db]: certutil -A -d '/etc/pki/katello/nssdb' -n 'amqp-client' -t ',,' -a -i '/etc/pki/katello/certs/java-client.crt' returned 255 instead of one of [0]

Could someone tell me how to update the NSSDB certificate correctly or fix it? I stopped all services and tried to run installer again, but the error went on.

Thanks.

Marco Tulio R Braga's picture

Responses