Systems running RHEL 5 report the following error when using yum or trying to register the system with RHN:
"The certificate is expired. Please ensure you have the correct certificate and you system time is correct."
The cron job for
rhn-virtualization-hostis generating the following message all of a sudden:
Traceback (most recent call last): File "/usr/share/rhn/virtualization/poller.py", line 308, in ? _send_notifications(cached_state) File "/usr/share/rhn/virtualization/poller.py", line 251, in _send_notifications plan.execute() File "/usr/share/rhn/virtualization/notification.py", line 76, in execute server.registration.virt_notify(systemid, self.__items) File "/usr/share/rhn/up2date_client/rhnserver.py", line 64, in __call__ raise up2dateErrors.SSLCertificateVerifyFailedError() up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The certificate is expired. Please ensure you have the correct certificate and your system time is correct.
rhn_checkfails with error similar to:
# rhn_check ERROR: SSL errors detected [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
"ssl certificate failed verification" messages started to appear in the log every 2 seconds
Cannot install or update via yum, with error like the following:
Traceback (most recent call last): File "/usr/bin/yum", line 29, in ? yummain.user_main(sys.argv[1:], exit_code=True) File "/usr/share/yum-cli/yummain.py", line 309, in user_main errcode = main(args) File "/usr/share/yum-cli/yummain.py", line 157, in main base.getOptionsConfig(args) File "/usr/share/yum-cli/cli.py", line 187, in getOptionsConfig self.conf File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 664, in <lambda> conf = property(fget=lambda self: self._getConfig(), File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 253, in _getConfig self.plugins.run('init') File "/usr/lib/python2.4/site-packages/yum/plugins.py", line 179, in run func(conduitcls(self, self.base, conf, **kwargs)) File "/usr/lib/yum-plugins/rhnplugin.py", line 111, in init_hook login_info = up2dateAuth.getLoginInfo() File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 217, in getLoginInfo login() File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 184, in login li = server.up2date.login(systemId) File "/usr/share/rhn/up2date_client/rhnserver.py", line 64, in __call__ raise up2dateErrors.SSLCertificateVerifyFailedError() up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The certificate is expired. Please ensure you have the correct certificate and your system time is correct.
rhn_register fails with the error :
- Red Hat Enterprise Linux (RHEL) 5.4 or earlier
- Red Hat Network (RHN) Classic
- rhn-client-tools of a version prior to 0.4.19-17.el5_3.1 (RHEL5.3 Advanced mission critical only)
- rhn-client-tools of a version prior to 0.4.20-33.el5 (RHEL5)
- up2date of a version prior to 4.9.1-30.el4 (RHEL4)
- up2date of a version prior to 4.5.5-18.el3 (RHEL3)
The latest CA certificate is provided by the rhn-client-tools package. This can be accomplished via manual download and rpm install or via use of yum.
Note: You can check to see if rhn-client-tools is installed and what version is installed with:
rpm -q rhn-client-tools
Several ways to install a package
Manual download and install:
Choose from one of the following bullet points and then download all of the packages appropriate to the architecture for the system in question
- Red Hat Enterprise Linux 5: new CA certificate first provided by RHBA-2010:0270 (as part of 5.5 Update release)
- Red Hat Enterprise Linux 5.3 Advanced Mission Critical: new CA certificate provided by RHEA-2010:0830
- Red Hat Enterprise Linux 4: new CA certificate provided by RHEA-2012:0098
- Red Hat Enterprise Linux 3 Extended Life Cycle Support: new CA certificate provided by RHEA-2011:1365
Transfer the downloaded packages to the affected system
As root, navigate to the directory containing the packages and install them using a command like the following:
Red Hat Enterprise Linux 4:
# rpm -Uvh up2date*.rpm
Red Hat Enterprise Linux 5:
# rpm -Uvh rhn*.rpm
Note the dependencies, possibly something like:
hal-0.5.8.1-64.el5.i386.rpm hal-devel-0.5.8.1-64.el5.i386.rpm m2crypto-0.16-9.el5.i386.rpm pm-utils-0.99.3-14.el5.i386.rpm python-dmidecode-3.10.13-1.el5_5.1.i386.rpm python-iniparse-0.2.3-6.el5.noarch.rpm rhn-check-0.4.20.1-6.el5.noarch.rpm rhn-client-tools-0.4.20.1-6.el5.noarch.rpm rhnlib-188.8.131.52-6.el5.noarch.rpm rhn-setup-0.4.20.1-6.el5.noarch.rpm rhn-setup-gnome-0.4.20.1-6.el5.noarch.rpm yum-3.2.22-40.el5.noarch.rpm yum-metadata-parser-1.1.2-4.el5.i386.rpm yum-rhn-plugin-0.5.4.1-7.el5.noarch.rpm yum-updatesd-0.9-5.el5.noarch.rpm
If you encounter too many dependency errors, you can use an install media of at least 5.5 or 4.9 as a source by applying the technique of the article 329673 ; if you don't want to use the yum technique to apply the updates without using SSL.
However, if the server must be re-registered to RHN (e.g. if it was never registered), you will need said package, else rhn_register will fail. You can fetch the package directly from the RHN "Package Search". Make sure you download the appropriate package for your architecture.
Installation with yum:
Run the following command as the root user in order to temporarily disable SSL for communication with RHN (making it possible to update the packages via http)
This will only work with RHN Classic, if you use RHSM use another technique or reregister the system against RHN classic
Note: Use of this approach might violate your company security policies
# sed -i 's/serverURL=https/serverURL=http/g' /etc/sysconfig/rhn/up2date
You also need to disable location aware updates
If system is not already registered, register with:
# rhnreg_ks --username=<username> --password=<password>
Update the relevant packages, i.e.:
# yum update "rhn*"
Run the following command as the root user in order to re-enable SSL:
# sed -i 's/serverURL=http/serverURL=https/g' /etc/sysconfig/rhn/up2date
Installation via Install Disk
Acquire packages and dependencies from RHEL 5.8 DVD
Install them locally using the following command:
# yum localinstall --noplugins /path/to/packages
Once installed, perform updates
# yum update
Once the rhn-client-tools package has been updated, verify that the error is resolved, e.g.:
yum check-update[RHEL 5]
up2date[RHEL 4 or earlier]
- yum repolist
If you are still experiencing issues with SSL Certificate errors when using yum please disable Location-Aware updates.
The old Red Hat Network (RHN Classic) CA certificate expires in August 2013
A new SSL CA certificate is in effect on RHN Classic
Systems that did not previously apply the errata updates containing the new CA certificate will fail to connect after August 12, 2013 until the updated certificate is installed
rhn-client-tools is not installed
Confirm that the time set on the server and the timezone it is configured to use are correct with
if not fix the date and try before repeating the diagnostic steps.
Check the installed version of
# rpm -q rhn-client-tools up2date
the installed version of rhn-client-tools should be at least of:
rhn-client-tools-0.4.19-17.el5_3.1if using RHEL5.3 Advanced Mission critical
rhn-client-tools-0.4.20-33.el5if using RHEL5
up2date-4.9.1-30.el4if using RHEL4
up2date-4.5.5-18.el3if using RHEL3
if not apply the resolution part of this article.
Check that the certificate is as provided by the rpm :
# rpm -V rhn-client-tools up2date
if the file
/usr/share/rhn/RHNS-CA-CERTshows in the output it has been altered and you should reinstall the rpm
up2dateto fix the problem(See kbase 183083).
Perform a connection test :
At this point you are using the correct certificate to communicate with rhn, the problem is with the communication with rhn.
# curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v # curl https://xmlrpc.rhn.redhat.com/XMLRPC -v -k
If you are behind a proxy with no authentication :
# curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v -x squid.redhat.com:3128 # curl https://xmlrpc.rhn.redhat.com/XMLRPC -k -v -x squid.redhat.com:3128
Or if your proxy requires authentication :
# curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v -x squid.redhat.com:3128 -u USER:PASSWORD # curl https://xmlrpc.rhn.redhat.com/XMLRPC -k -v -x squid.redhat.com:3128 -u USER:PASSWORD
Replace to use the right values for your proxy server and ports, user and password if requires.
The output will display diagnostic information that can be used to determine the cause of the problem (the whole output is important).
The output of a successful connection without using
-kshould be :
curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v -x squid.redhat.com:3128
- About to connect() to proxy squid.redhat.com port 3128
- Trying 10.11.5.7... connected
- Connected to squid.redhat.com (10.11.5.7) port 3128
- Establish HTTP proxy tunnel to xmlrpc.rhn.redhat.com:443
> CONNECT xmlrpc.rhn.redhat.com:443 HTTP/1.0
> Host: xmlrpc.rhn.redhat.com:443
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Proxy-Connection: Keep-Alive
< HTTP/1.0 200 Connection established
- Proxy replied OK to CONNECT request