How to troubleshoot subscription-manager and yum issues

Solution Verified - Updated -


  • Red Hat Enterprise Linux 7.x
  • Red Hat Enterprise Linux 6.x
  • Red Hat Enterprise Linux 5.8 and later
  • Red Hat Subscription Manager (RHSM)


  • The following steps can be used for basic troubleshooting on subscription-manager and yum issues. In general, this can help solve many errors.
  • Let's troubleshoot this error for example:

    # yum check-update
    Loaded plugins: downloadonly, product-id, subscription-manager
    Updating certificate-based repositories. [Errno 14] problem making ssl connection
    Trying other mirror.
    Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhel-6-server-cf-tools-1-rpms. Please verify its path and try again


  • Check if a proxy (or anything between the server and Red Hat) is not changing the SSL certificate. Sometimes proxies are configured to resign SSL communication (similar to man-in-the-middle attack).
  • Crosscheck if UUID of system matches on the Customer Portal:

    1. Get the UUID from the system:

      # openssl x509 -in /etc/pki/consumer/cert.pem -noout -text| grep 'Subject: CN'
    2. Check the system's UUID on the Customer Portal: Go to --> Subscriptions --> Systems (under the subheading Subscriber Inventory) or open: Then enter the system's UUID in the filter box to see if it matches.
    3. If the UUID does not match, refresh the subscription data from system:

      # subscription-manager refresh
      # subscription-manager attach --auto


      # subscription-manager attach --pool=POOLID
  • When using a http proxy with RHSM, the proxy settings need to be put in /etc/rhsm/rhsm.conf (and not /etc/yum.conf).

  • Check if a system is using standard curl package from Red Hat.

Additional information: RHSM Subscription Issues Troubleshooting Do's and Don'ts

Root Cause

The communication is not properly established with the correct certificates:

# curl -v --proxy-user user:password --proxy --cacert /etc/rhsm/ca/redhat-uep.pem
* About to connect() to proxy port 8080 (#0)
*   Trying connected
* Connected to ( port 8080 (#0)
* Establish HTTP proxy tunnel to
* Proxy auth using Basic with user 'username'
> Host:
> Proxy-Authorization: Basic XXEEAA =
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/ zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Proxy-Connection: Keep-Alive
< HTTP/1.1 200 Connection established
< Date: Tue, 03 Jul 2012 13:03:51 GMT
< Age: 2
< Proxy-Connection: Keep-Alive
< Via: 1.0 localhost.localdomain
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: /etc/pki/nssdb
*   CAfile: /etc/rhsm/ca/redhat-uep.pem
  CApath: none
* Peer's certificate issuer is not recognized: ',O=My,L=RedHat,ST=South Carolina,C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Diagnostic Steps

Find the troubleshooting steps which can help you to find the cause of the issue:

  • Make sure that the system's time and date is correct to the time and date of the geographical location.
  • Next thing to do is to unregister and register again the subscription manager - to be sure the server is properly registered using RHSM:

Unregister the server:

# date && subscription-manager unsubscribe --all
This machine has been unsubscribed from all subscriptions

# date && subscription-manager unregister
Consumer 11111111-2222-3333-4444-555555555556 has been deleted

Get the information about the server:

# date && subscription-manager facts --list

Register the server:

# date && subscription-manager register
The system has been registered with id: 11111111-2222-3333-4444-555555555555

# date && subscription-manager identity
Current identity is: 11111111-2222-3333-4444-555555555555
org name: 1111111
org id: 11111112222222333333334444444555

date && subscription-manager subscribe --pool=<PoolId_from_the_previous_command>

#Or use simply:
# date && subscription-manager list --available
    Available Subscriptions

ProductName:            Red Hat Enterprise Linux Server, Self-support (1-2 sockets)
                        (Up to 1 guest)
ProductId:              RH0197181                
PoolId:                 11111111111111111111111111111111
Quantity:               10                       
Multi-Entitlement:      No                       
Expires:                01/01/2013               
MachineType:            physical

# date && subscription-manager subscribe --auto
Installed Product Current Status:
Product Name:           Red Hat Enterprise Linux Server
Status:                 Subscribed

# date && subscription-manager list --consumed
    Consumed Product Subscriptions

Product Name:           Red Hat Enterprise Linux Server
Contract Number:        4444444
Account Number:         333333
Serial Number:          2222222222222222222
Active:                 True                     
Quantity Used:          1                        
Service Level:          None                     
Service Type :          None                     
Begins:                 22/09/11                 
Expires:                01/01/22

# date && subscription-manager repos --list
    Entitled Repositories in /etc/yum.repos.d/redhat.repo
Repo Name:              Red Hat Enterprise Linux 6 Server (RPMs)
Repo Id:                rhel-6-server-rpms       
Repo Url:     $releasever/$basearch/os
Enabled:                1                        

Repo Name:              Red Hat CloudForms Tools for RHEL 6 (RPMs)
Repo Id:                rhel-6-server-cf-tools-1-rpms
Repo Url:     $releasever/$basearch/cf-tools/1.0/os
Enabled:                1
  • Generate and check the strace:
yum clean all
sed -i.orig 's/debuglevel = 0/debuglevel = 1/g' /usr/lib64/python2.6/ 
strace -ttT -s1024 -v -o /tmp/yum.update.strace yum -d10 check-update
mv /usr/lib64/python2.6/ /usr/lib64/python2.6/

There should be something like this in the strace:

  • The system was able to connect to through the proxy server:
2012-03-12 10:04:36,002 [DEBUG] - Using proxy:
2012-03-12 10:04:36,002 [DEBUG] - Making request: GET
2012-03-12 10:04:37,952 [DEBUG] - Response status: 200
  • The strace of the client's yum attempt shows an initially successful connection to through the proxy
14:59:05.914373 connect(7, {sa_family=AF_INET, sin_port=htons(3128), sin_addr=inet_addr("")}, 16) = -1 EINPROGRESS (Operation now in progress) <0.000022>
14:59:05.914423 poll([{fd=7, events=POLLOUT|POLLWRNORM}], 1, 29998) = 1 ([{fd=7, revents=POLLOUT|POLLWRNORM}]) <0.000227>
14:59:05.914693 getsockopt(7, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 <0.000017>
14:59:05.914749 sendto(7, "CONNECT HTTP/1.1\r\nHost:\r\nUser-Agent: urlgrabber/3.9.1 yum/3.2.29\r\nProxy-Connection: Keep-Alive\r\n\r\n", 136, MSG_NOSIGNAL, NU
LL, 0) = 136 <0.000012>
14:59:05.914794 poll([{fd=7, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 1000) = 1 ([{fd=7, revents=POLLIN|POLLRDNORM}]) <0.231993>
14:59:06.146848 recvfrom(7, "HTTP/1.0 200 Connection established\r\n\r\n", 16384, 0, NULL, NULL) = 39 <0.000024>
curl --head --key /etc/pki/entitlement/4790939584130415916-key.pem -E /etc/pki/entitlement/4790939584130415916.pem -k -x --verbose -H "Cache-control: no-cache" -H "Pragma: no-cache" --cacert /etc/rhsm/ca/redhat-uep.pem
* About to connect() to proxy port 3128 (#0)                                                                                                                                              
*   Trying connected                                                                                                                                                                            
* Connected to ( port 3128 (#0)                                                                                                                                               
* Establish HTTP proxy tunnel to                                                                                                                                                            
> CONNECT HTTP/1.1                                                                                                                                                                          
> Host:                                                                                                                                                                                     
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/ zlib/1.2.3 libidn/1.18 libssh2/1.2.2                                                                                           
> Proxy-Connection: Keep-Alive                                                                                                                                                                                 
< HTTP/1.0 200 Connection established                                                                                                                                                                          
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: /etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* NSS: client certificate: PEM Token #1:5027624092264466693.pem
*       subject: CN=8a85f98435edb09d01360626e0924712
*       start date: Jan 01 05:00:00 2012 GMT
*       expire date: Jan 01 04:59:59 2013 GMT
*       common name: 8a85f98435edb09d01360626e0924712
*       issuer:,CN=Red Hat Candlepin Authority,OU=Red Hat Network,O="Red Hat, Inc.",ST=North Carolina,C=US
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject:,OU=IT,O="Red Hat, Inc.",L=Raleigh,ST=NORTH CAROLINA,C=US
*       start date: Jul 19 16:16:14 2010 GMT
*       expire date: Jul 16 16:16:14 2020 GMT
*       common name:
*       issuer:,CN=Red Hat Entitlement Operations Authority,OU=Red Hat Network,O="Red Hat, Inc.",ST=North Carolina,C=US
> GET /content/dist/rhel/server/5/5Server/x86_64/cf-tools/1.0/os/repodata/repomd.xml HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/ zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host:
> Accept: */*
< HTTP/1.1 200 OK
  • Without proxy using openssl:
openssl s_client -port 443 -CApath /etc/pki/entitlement/ -host -prexit -cert 6666666666666666666.pem -key 6666666666666666666-key.pem
depth=1 C = US, ST = North Carolina, O = "Red Hat, Inc.", OU = Red Hat Network, CN = Red Hat Entitlement Operations Authority, emailAddress =
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
 0 s:/C=US/ST=NORTH CAROLINA/L=Raleigh/O=Red Hat, Inc./OU=IT/
   i:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/
 1 s:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/
   i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/
Server certificate
subject=/C=US/ST=NORTH CAROLINA/L=Raleigh/O=Red Hat, Inc./OU=IT/
issuer=/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/
Acceptable client certificate CA names
/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/
/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/
/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Candlepin Authority/
SSL handshake has read 3693 bytes and written 100396 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 4EF45E40519DD86B56C5D62938E42B2ACB85F421F1B4853E607BE42738047A31
    Master-Key: 7E3E5B2F9E2C257D76EB23E3477C67423761D7B843068EA95A43D3749D5464A52040F85635E3D8113F3D01A60E1AFEB4
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1345283601
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

Testing connectivity to

  • Verifying the machine can connect to with curl:
$ curl -v -k --cacert /etc/rhsm/ca/redhat-uep.pem
* About to connect() to port 443 (#0)
*   Trying connected
* Connected to ( port 443 (#0)
* Closing connection #0
  • Or with openssl s_client:
$ openssl s_client -port 443 -CApath /etc/rhsm/ca/redhat-uep.pem -host
depth=2 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat Network, CN = Entitlement Master CA, emailAddress =
verify error:num=19:self signed certificate in certificate chain
verify return:0

    Start Time: 1397793816
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

Then type in this:

GET /subscription/

... to get this output:

  • Or testing basic connectivity when you have a consumer cert and key, and where RHNUSERNAME is your customer portal login:
# curl --key /etc/pki/consumer/key.pem --cert /etc/pki/consumer/cert.pem --cacert redhat-uep.pem

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


My problem was fixed when I added the proxy details into /etc/rhsm/rhsm.conf
I had previously tried to add it to /etc/yum.conf but that did not help.

Thank you Ubaldo!

I have spent most of the afternoon trying to get this working and your post fixed it!

Thank you Ubaldo

Yes, big thank Ubaldo! After registration, yum was always attempting a direct https access. /etc/rhsm/rhsm.conf is definitely the place to update http proxy settings!

Does this really need to be this painful?>Subscriptions-->Overview-->Subscriptions Utilization-->
Is actually:>Subscriptions-->Your Subscriptions-->Overview-->Subscriptions Utilization-->

= = =

I found my VM as follows:>Subscriptions-->Subscription Management--> Units
Put the UUID in the "Filter", and there it was.

Update Mar 2015: Portal has been updated. To find your subscription by UUID see here:
Or:>Subscriptions--> Systems {that menu item is under the subheading Subscriber Inventory}

How can i stop the debug when i use yum... It keeps showing the header with yum

We were recently experiencing simmilar issues due to a Bluecoat proxy in our environment. The Bluecoat proxy did not trust the CA cert used by Red Hat and thus would return an error page. The only clue we were experiencing on our end was that when we used curl to debug the connection we were seeing an SSL Issuer mismatch. Turns out the mismatch was due to the Bluecoat returning an error page encrypted using it's own cert. Had we debugged the connection with the "-k0" option for curl we would have seen the error message.

TL/DR: Try using the "-k0" option with curl to ensure the proxy server is not sending back an error page for the connection in question.

This page:

does not match the description listed at the Resolution section

" To check system's UUID on customer portal: Go to>Subscriptions-->Overview-->Subscriptions Utilization-->Open the system profile from 'Subscription Management' tab and check 'UUID' "

Subscriber Inventory --> Systems --> System Inventory link
... ...
not working

I have updated that. Thank you for reporting it.

This worked for me as I was only using the x64_86 repo

yum --disablerepo=rhel-6-server-cf-tools-1-rpms --disablerepo=rhel-6-server-rpms install rrdtool rrdtool-perl httpd

Then I disabled the same in vi /etc/yum.repos.d/redhat.repo

[root@svstor2rrd01 ~]# yum --disablerepo=rhel-6-server-cf-tools-1-rpms --disablerepo=rhel-6-server-rpms install rrdtool rrdtool-perl httpd
Loaded plugins: product-id, rhnplugin, security, subscription-manager

This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Install Process
No package rrdtool-perl available.
Resolving Dependencies

Joginder Singh

The "--username" and "--password" arguments don't appear to be working for register.

I can use "subscription-manager register --autosubscribe" and then type in my username and password when prompted, but I can't use "subscription-manager register --autosubscribe --username=myuser --password=mypass".

--proxy argument does not appear to work for action "repos"

[root@myserver etc]# subscription-manager --proxy=http://proxy-ip:3128 repos --list
Usage: subscription-manager repos [OPTIONS]

subscription-manager: error: no such option: --proxy

In Diagnostic Steps, clean options must be incompatible with proxy, local only ? date && subscription-manager --proxy= clean

Thu Jan 5 14:21:37 EST 2017 Usage: subscription-manager clean [OPTIONS]

subscription-manager: error: no such option: --proxy

---- This worked instead. ------------------

date && subscription-manager clean

Thu Jan 5 14:19:46 EST 2017 All local data removed

Could you add to the official portion of this document that you should be using different URLS's based on the OS and have each of the URLS's listed out as RHEL 5, RHEL 6 and RHEL 7 which should be substituted in to replace the URL's in the document. Currently some places have the RHEL 5 url and some the RHEL6 URL but their does not seem to be a RHEL7 URL in the document which I suspect might be The document might be even better if you where to pre-execute commands in each example to calculate out the major number release numbers into the URL so that you don't have to list out separate urls for each version of the OS, as that would take out the chances of accidentally using the wrong URL for the version you are using.

Check your version of NSS

I had an old RHEL 6.1 box that I was trying to get updated. In my case, the SSL connection problem ("NSS error -8092") was due to an old version of NSS; I needed to upgrade it to version 3.15+. (Thanks to this site which gave me a hint:

Here are the packages I had to manually update:

rpm -ivh nspr-4.13.1-1.el6.x86_64.rpm --force
rpm -ivh nss-util-3.15.1-3.el6.x86_64.rpm --force
rpm -ivh nss-softokn-freebl-3.14.3-9.el6.x86_64.rpm --force
rpm -ivh nss-softokn-3.14.3-9.el6.x86_64.rpm --force
rpm -ivh nss-3.15.1-15.el6.x86_64.rpm --force

After that I was able to register with my local Satellite 6.2 server and run updates.

Daniel, That did it for me also, i mounted an iso as a repo and updated nss package which fixed the issue, Thank You !

Kindly request updating or validating this for RHEL 8 as well, thanks.


A note that might help some users, on RHEL8 you can use the -proxy flag to debug your connection. openssl s_client -proxy myproxy .....