Skip to navigation

Warning message

log in to add comments or rate this document

System connection to RHN fails with "The certificate is expired" or "certificate verify failed" errors

Updated 2014-04-17T13:08:20+00:00

Issue

  • Systems running RHEL 5 report the following error when using yum or trying to register the system with RHN:

    "The certificate is expired. Please ensure you have the correct certificate and you system time is correct."
    
  • The cron job for rhn-virtualization-host is generating the following message all of a sudden:

    Traceback (most recent call last):
      File "/usr/share/rhn/virtualization/poller.py", line 308, in ?
        _send_notifications(cached_state)
      File "/usr/share/rhn/virtualization/poller.py", line 251, in _send_notifications
        plan.execute()
      File "/usr/share/rhn/virtualization/notification.py", line 76, in execute
        server.registration.virt_notify(systemid, self.__items)
      File "/usr/share/rhn/up2date_client/rhnserver.py", line 64, in __call__
        raise up2dateErrors.SSLCertificateVerifyFailedError()
    up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The certificate is expired. Please ensure you have the correct certificate and your system time is correct.
    
  • rhn_check fails with error similar to:

    # rhn_check
    ERROR: SSL errors detected
    [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
    
  • "ssl certificate failed verification" messages started to appear in the log every 2 seconds

  • Cannot install or update via yum, with error like the following:

    Traceback (most recent call last):
      File "/usr/bin/yum", line 29, in ?
        yummain.user_main(sys.argv[1:], exit_code=True)
      File "/usr/share/yum-cli/yummain.py", line 309, in user_main
        errcode = main(args)
      File "/usr/share/yum-cli/yummain.py", line 157, in main
        base.getOptionsConfig(args)
      File "/usr/share/yum-cli/cli.py", line 187, in getOptionsConfig
        self.conf
      File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 664, in <lambda>
        conf = property(fget=lambda self: self._getConfig(),
      File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 253, in _getConfig
        self.plugins.run('init')
      File "/usr/lib/python2.4/site-packages/yum/plugins.py", line 179, in run
        func(conduitcls(self, self.base, conf, **kwargs))
      File "/usr/lib/yum-plugins/rhnplugin.py", line 111, in init_hook
        login_info = up2dateAuth.getLoginInfo()
      File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 217, in getLoginInfo
        login()
      File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 184, in login
        li = server.up2date.login(systemId)
      File "/usr/share/rhn/up2date_client/rhnserver.py", line 64, in __call__
        raise up2dateErrors.SSLCertificateVerifyFailedError()
    up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The certificate is expired. Please ensure you have the correct certificate and your system time is correct.
    
  • rhn_register fails with the error : "/usr/share/rhn/rhns-ca-cert expired"

Environment

  • Red Hat Enterprise Linux (RHEL) 5.4 or earlier
  • Red Hat Network (RHN) Classic
  • rhn-client-tools of a version prior to 0.4.19-17.el5_3.1 (RHEL5.3 Advanced mission critical only)
  • rhn-client-tools of a version prior to 0.4.20-33.el5 (RHEL5)
  • up2date of a version prior to 4.9.1-30.el4 (RHEL4)
  • up2date of a version prior to 4.5.5-18.el3 (RHEL3)

Resolution

The latest CA certificate is provided by the rhn-client-tools package. This can be accomplished via manual download and rpm install or via use of yum.

Note: You can check to see if rhn-client-tools is installed and what version is installed with: rpm -q rhn-client-tools

Several ways to install a package

Manual download and install:

  1. Choose from one of the following bullet points and then download all of the packages appropriate to the architecture for the system in question

    • Red Hat Enterprise Linux 5: new CA certificate first provided by RHBA-2010:0270 (as part of 5.5 Update release)
    • Red Hat Enterprise Linux 5.3 Advanced Mission Critical: new CA certificate provided by RHEA-2010:0830
    • Red Hat Enterprise Linux 4: new CA certificate provided by RHEA-2012:0098
    • Red Hat Enterprise Linux 3 Extended Life Cycle Support: new CA certificate provided by RHEA-2011:1365
  2. Transfer the downloaded packages to the affected system

    As root, navigate to the directory containing the packages and install them using a command like the following:

    Red Hat Enterprise Linux 4:

    # rpm -Uvh up2date*.rpm
    

    Red Hat Enterprise Linux 5:

    # rpm -Uvh rhn*.rpm
    

    Note the dependencies, possibly something like:

    hal-0.5.8.1-64.el5.i386.rpm
    hal-devel-0.5.8.1-64.el5.i386.rpm
    m2crypto-0.16-9.el5.i386.rpm
    pm-utils-0.99.3-14.el5.i386.rpm
    python-dmidecode-3.10.13-1.el5_5.1.i386.rpm
    python-iniparse-0.2.3-6.el5.noarch.rpm
    rhn-check-0.4.20.1-6.el5.noarch.rpm
    rhn-client-tools-0.4.20.1-6.el5.noarch.rpm
    rhnlib-2.5.22.1-6.el5.noarch.rpm
    rhn-setup-0.4.20.1-6.el5.noarch.rpm
    rhn-setup-gnome-0.4.20.1-6.el5.noarch.rpm
    yum-3.2.22-40.el5.noarch.rpm
    yum-metadata-parser-1.1.2-4.el5.i386.rpm
    yum-rhn-plugin-0.5.4.1-7.el5.noarch.rpm
    yum-updatesd-0.9-5.el5.noarch.rpm
    

    If you encounter too many dependency errors, you can use an install media of at least 5.5 or 4.9 as a source by applying the technique of the article 329673 ; if you don't want to use the yum technique to apply the updates without using SSL.

    However, if the server must be re-registered to RHN (e.g. if it was never registered), you will need said package, else rhn_register will fail. You can fetch the package directly from the RHN "Package Search". Make sure you download the appropriate package for your architecture.

Installation with yum:

  1. Run the following command as the root user in order to temporarily disable SSL for communication with RHN (making it possible to update the packages via http)
    This will only work with RHN Classic, if you use RHSM use another technique or reregister the system against RHN classic
    Note: Use of this approach might violate your company security policies

    # sed -i 's/serverURL=https/serverURL=http/g' /etc/sysconfig/rhn/up2date
    

    You also need to disable location aware updates

  2. If system is not already registered, register with:

    # rhnreg_ks --username=<username> --password=<password>
    

    or

    # rhn_register
    
  3. Update the relevant packages, i.e.:

    # yum update "rhn*"
    
  4. Run the following command as the root user in order to re-enable SSL:

    # sed -i 's/serverURL=http/serverURL=https/g' /etc/sysconfig/rhn/up2date
    

Installation via Install Disk

  1. Acquire packages and dependencies from RHEL 5.8 DVD

  2. Install them locally using the following command:

    # yum localinstall --noplugins /path/to/packages
    
  3. Once installed, perform updates

    # yum update
    

Comments

  • Once the rhn-client-tools package has been updated, verify that the error is resolved, e.g.:

    • yum check-update [RHEL 5]
    • up2date [RHEL 4 or earlier]
    • rhn_check
    • yum repolist
  • If you are still experiencing issues with SSL Certificate errors when using yum please disable Location-Aware updates.

Root Cause

  • The old Red Hat Network (RHN Classic) CA certificate expires in August 2013

  • A new SSL CA certificate is in effect on RHN Classic

  • Systems that did not previously apply the errata updates containing the new CA certificate will fail to connect after August 12, 2013 until the updated certificate is installed

  • rhn-client-tools is not installed

Diagnostic Steps

  1. Confirm that the time set on the server and the timezone it is configured to use are correct with

    # date
    

    if not fix the date and try before repeating the diagnostic steps.

  2. Check the installed version of rhn-client-tools or up2date

    # rpm -q rhn-client-tools up2date
    

    the installed version of rhn-client-tools should be at least of:

    • rhn-client-tools-0.4.19-17.el5_3.1 if using RHEL5.3 Advanced Mission critical
    • rhn-client-tools-0.4.20-33.el5 if using RHEL5
    • up2date-4.9.1-30.el4 if using RHEL4
    • up2date-4.5.5-18.el3 if using RHEL3

    if not apply the resolution part of this article.

  3. Check that the certificate is as provided by the rpm :

    # rpm -V rhn-client-tools up2date
    

    if the file /usr/share/rhn/RHNS-CA-CERT shows in the output it has been altered and you should reinstall the rpm rhn-client-tools or up2date to fix the problem(See kbase 183083).

  4. Perform a connection test :

    At this point you are using the correct certificate to communicate with rhn, the problem is with the communication with rhn.

    # curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v
    # curl https://xmlrpc.rhn.redhat.com/XMLRPC -v -k
    

    If you are behind a proxy with no authentication :

    # curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v -x squid.redhat.com:3128
    # curl https://xmlrpc.rhn.redhat.com/XMLRPC -k -v -x squid.redhat.com:3128
    

    Or if your proxy requires authentication :

    # curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v -x squid.redhat.com:3128 -u USER:PASSWORD
    # curl https://xmlrpc.rhn.redhat.com/XMLRPC -k -v -x squid.redhat.com:3128 -u USER:PASSWORD
    

    Replace to use the right values for your proxy server and ports, user and password if requires.
    The output will display diagnostic information that can be used to determine the cause of the problem (the whole output is important).

    The output of a successful connection without using -k should be :

    ~~~

    curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v -x squid.redhat.com:3128

    • About to connect() to proxy squid.redhat.com port 3128
    • Trying 10.11.5.7... connected
    • Connected to squid.redhat.com (10.11.5.7) port 3128
    • Establish HTTP proxy tunnel to xmlrpc.rhn.redhat.com:443
      > CONNECT xmlrpc.rhn.redhat.com:443 HTTP/1.0
      > Host: xmlrpc.rhn.redhat.com:443
      > User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
      > Proxy-Connection: Keep-Alive
      >
      < HTTP/1.0 200 Connection established
      <
    • Proxy replied OK to CONNECT request