Why satellite-sync,rhn-register or yum fails with Error: The SSL certificate failed verification ?
Environment
- Red Hat Enterprise Linux (RHEL) 5
- Red Hat Satellite.
Issue
- yum update fails with
Error: The SSL certificate failed verification.
# yum check-update
Loaded plugins: rhnplugin, security
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in ?
yummain.user_main(sys.argv[1:], exit_code=True)
:
up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The SSL certificate failed verification.
-
Satellite-sync fails with
The SSL certificate /usr/share/rhn/RHNS-CA-CERT failed verification -
Satellite-sync fails with :
Error message: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
Resolution
-
Reinstall rhn-client-tools package from the installation DVD (under Packages folder) or download from Red Hat Network.
-
Check certificate validity
grep -C 2 Validity /usr/share/rhn/RHNS-CA-CERT
- Disable Location Aware Update or add following 5 URLs to firewall settings:
xmlrpc.rhn.redhat.com
rhn.redhat.com
content-xmlrpc.rhn.redhat.com
content-web.rhn.redhat.com
content-satellite.rhn.redhat.com
- For Hosts migrated from RHN to RHSM, make sure the
/etc/yum/pluginconf.d/rhnplugin.confis disabled,
[root@localhost pluginconf.d]# vim rhnplugin.conf
[main]
enabled = 0
gpgcheck = 1
Refer the article for more details on a successful and complete migration.
Root Cause
- Existing
rhn-client-toolspackage is corrupted. - There was firewall in between client-server and following 5 URLs were not added into firewall settings
xmlrpc.rhn.redhat.com
rhn.redhat.com
content-xmlrpc.rhn.redhat.com
content-web.rhn.redhat.com
content-satellite.rhn.redhat.com
Diagnostic Steps
-
Verify the date and time of the system is correct.
-
If the system is using http proxy then verify the proxy settings under the
/etc/sysconfig/rhn/up2date file. enableProxy= httpProxy= -
Edit the up2date file, to turn https off
# vi /etc/sysconfig/rhn/up2date
Add 'useNoSSLForPackages=1'
Add 'noSSLServerURL[comment]=Remote server URL'
Add 'noSSLServerURL=http://xmlrpc.rhn.redhat.com/XMLRPC'
Save the file and check whether it helps to resolve the issue.
- Result: Still issues "certificate verify failed" error:
Error Downloading Packages:
elfutils-devel-0.137-3.el5.x86_64: certificate verify failed
nss-devel-3.12.10-7.el5_7.x86_64: certificate verify failed
libselinux-devel-1.33.4-5.7.el5.x86_64: certificate verify failed
:
:
- The CA certificate file has right permission such as below and can be read by programs:
# ll /usr/share/rhn/RHNS-CA-CERT
-rw-r--r-- 1 root root 8865 Mar 24 2010 /usr/share/rhn/RHNS-CA-CERT
- Check if there is any network issue, check if you have the telnet installed with `rpm -qa | grep telnet'
If telnet is not installed then you install the package using yum.
# yum install telnet -y
# telnet xmlrpc.rhn.redhat.com 443
Trying 209.132.183.44...
Connected to xmlrpc.rhn.redhat.com
-
Test connection by re-registering the system and issuing tracert command at the same time on another terminal.
Result: Unable to register the system if SSL is on
System successfully tracerouted to redhat.com -
Reinstall
rhn-client-toolspackage.
# rpm -Uvh --test rhn-check-0.4.20.1-6.el5.noarch.rpm rhn-setup-0.4.20.1-6.el5.noarch.rpm rhn-setup-gnome-0.4.20.1-6.el5.noarch.rpm rhn-client-tools-0.4.20.1-6.el5.noarch.rpm yum-rhn-plugin-0.5.4.1-7.el5.noarch.rpm
Preparing... ########################################### [100%]
# rpm -Uvh rhn-check-0.4.20.1-6.el5.noarch.rpm rhn-setup-0.4.20.1-6.el5.noarch.rpm rhn-setup-gnome-0.4.20.1-6.el5.noarch.rpm rhn-client-tools-0.4.20.1-6.el5.noarch.rpm yum-rhn-plugin-0.5.4.1-7.el5.noarch.rpmPreparing... ########################################### [100%]
1:rhn-client-tools ########################################### [ 20%]
2:rhn-setup ########################################### [ 40%]
3:yum-rhn-plugin warning: /etc/yum/pluginconf.d/rhnplugin.conf created as /etc/yum/pluginconf.d/rhnplugin.conf.rpmnew
########################################### [ 60%]
4:rhn-check ########################################### [ 80%]
5:rhn-setup-gnome ########################################### [100%]
- Check the date of /usr/share/rhn/RHNS-CA-CERT
# ls -la /usr/share/rhn/RHNS-CA-CERT
-rw-r--r-- 1 root root 8865 May 6 2013 /usr/share/rhn/RHNS-CA-CERT
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments