Appendix C. Resolve Common Problems in Red Hat Update Infrastructure

The following table lists known issues with Red Hat Update Infrastructure 2.1.3. If you encounter any of these issues with Red Hat Update Infrastructure 3.0, report the problem through Bugzilla. See Troubleshooting Red Hat Update Infrastructure Issues for more details about common issues.

Table C.1. Common Problems in Red Hat Update Infrastructure


ISO Download/Red Hat Update Infrastructure Certificate

You cannot download the Red Hat Update Infrastructure ISO from the Customer Portal with the RHUI Certificate.

Verify that RHUI entitlements are in place and enabled in your Red Hat Network account.

Verify the credibility of the certificate being used to download the ISO.

Make sure the certificate is a RHUI consumer certificate; follow the instructions in the Installation Guide for creating the appropriate RHUI consumer content certificate.

Red Hat Update Infrastructure Certificate

You see an error message while uploading Entitlement certificate using rhui-manager.

See for more details.


You experience communication issues between the Red Hat Upate Appliance and the CDSs.

Verify the fully qualified domain name (FQDN) is set for the RHUA and CDS and is resolvable.

Configure the HTTP proxy properly as described in Bug 726420 – Quick note on proxy URL


You cannot synchronize repositories with Red Hat.

Verify the RHUI SKUs are in your account.

Verify the proper content certificates are loaded to the RHUA.

Look for temporary CDN issues.

Look for any HTTP proxy in your environment and make sure you are not hitting an error.

The RHUA cannot synchronize to CDSs, typically due to expired qpid certificates: See Knowledgebase solution "CDS sync fails with error "sslv3 alert certificate expired" because of expired qpid CA certificates on RHUI 2.X.""

Red Hat Update Appliance/Content Delivery Network Communication

The Red Hat Update Appliance is not communicating with the Content Delivery Network.

Use the content certificate in /etc/pki/rhui/redhat (the .pem file) to test connectivity and access between the RHUA and the CDN.

# cd /etc/pki/rhui/redhatwget --certificate=8a85f98146a087b80146afacb3362499.pem --ca-certificate=/etc/rhsm/ca/redhat-uep.pem

Note from the curl (1) man page: If the NSS PEM PKCS#11 module ( is available, then PEM files may be loaded. If you want to use a file from the current directory, precede it with "./" prefix to avoid confusion with a nickname.

On each CDS, the entitlement certificate in /etc/pki/pulp/content can be used to test the availability of the RHUA content using # curl --cert ./rhui-ec2-20120619.pem.

The URL for the repositories hosted on the RHUA always start with https://fqdn/pulp/repos. You can divulge the remaining URL by: -Looking at the file path on the RHUA under /var/lib/pulp/repos -Examining the content certificate directly using openssl commands because the OIDs ending in 1.6 contain the path

Client/Content Delivery Server Communication

curl can be used to verify client communications with the content delivery server nodes as well.

# curl --cert /etc/pki/entitlement/product/content.crt --key /etc/pki/entitlement/key.pem https://ip-10-4-58-34.ec2.internal/pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64 /rhui/2.1/os/repodata/repomd.xml -k <?xml version="1.0" encoding="UTF-8"?> <repomd xmlns="" xmlns:rpm=""> <revision>1339940325</revision> <data type="other_db"> <location href="repodata/4f86b0ae203bba90d22a8363120c66ed6f37da81-other.sqlite.bz2"/> <checksum type="sha">4f86b0ae203bba90d22a8363120c66ed6f37da81</checksum> <timestamp>1339940328.43</timestamp>

Content Delivery Server Synchronization

The CDS synchronization fails with SSL errors because of expired Qpid certificates

CDS sync fails with error "sslv3 alert certificate expired" due to expired qpid CA certificates on RHUI.

Client/HAProxy communication

All HAProxy nodes are down. Clients have lost access to RHUI repositories.

Add and configure at least one new HAProxy node. If you cannot do so for whatever reason, temporarily change the DNS configuration so that the main load balancer host name ( in this guide) resolves to the IP address of one of your CDS nodes. This will allow the clients to avoid the unavailable HAProxy nodes and communicate with the CDS directly.

Report a bug