foreman_scap_client fails with 'SL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed'

Solution Verified - Updated -

Environment

  • Red Hat Satellite v 6.1.5
  • Openscap

Issue

  • foreman_scap_client fails with,
# /usr/bin/foreman_scap_client 1
File /var/lib/openscap/content/1fbdc87d24db51ca184419a2b6f7018f1361c27cd818755d5bc4f5b08fed0a7c.xml is missing. Downloading it from proxy
Download scap content xml from: https://satellite.example.com:5674/compliance/policies/1/content
SCAP file is missing and download failed with error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Resolution

  • Check the configuration file /etc/foreman_scap_client/config.yaml and confirm if the below entry is correct for ":ca_file:" ,
:ca_file: '/etc/rhsm/ca/katello-server-ca.pem'

Root Cause

  • Configuration file for openscap /etc/foreman_scap_client/config.yaml on client was incorrectly configured with the entries,
:ca_file: '/var/lib/puppet/ssl/certs/ca.pem'
:host_certificate: '/var/lib/puppet/ssl/certs/myhost.example.com.pem'
:host_private_key: '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem'

When really it should be:

:ca_file: '/etc/rhsm/ca/katello-server-ca.pem'
:host_certificate: '/etc/pki/consumer/cert.pem'
:host_private_key: '/etc/pki/consumer/key.pem'

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

2 Comments

This solution did not work for me on (patched to current as of 20151229) RHEL 7.2 client with Satellite 6.1.5 Error still occurs.

foreman_scap_client 3 File /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml is missing. Downloading it from proxy Download scap content xml from: https://sat6.example.com:9090/compliance/policies/3/content SCAP file is missing and download failed with error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Also: openssl s_client -connect sat6.example.com:9090 -cert /etc/pki/consumer/cert.pem -key /etc/pki/consumer/key.pem -state -debug

Returns: Start Time: 1451413593 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)

whereas:

openssl s_client -connect sat6.parmstro.redhat.com:5647 -cert /etc/pki/consumer/cert.pem -key /etc/pki/consumer/key.pem -state -debug

Opens a connection just fine.

Satellite Server has been configured with IPA/IdM integration

katello-installer \ --capsule-realm true \ --capsule-realm-keytab /etc/foreman-proxy/freeipa.keytab \ --capsule-realm-principal 'realm-capsule@EXAMPLE.COM' \ --capsule-realm-provider freeipa \ --certs-server-cert /etc/ipa/requests/sat6.crt \ --certs-server-cert-req /etc/ipa/requests/sat6.csr \ --certs-server-key /etc/ipa/requests/sat6.key \ --certs-server-ca-cert /etc/ipa/ca.crt \ --certs-update-server \ --certs-update-server-ca

Hello Paul,

Can you please reach out to Red Hat Technical Support - https://access.redhat.com/support/contact/technicalSupport/ We have to take a closer look at your problem and would need data to analyse the issue.