Red Hat Satellite 6: Capsule sync fails with error Connection hostname 'localhost' does not match names from peer certificate.
Environment
- Red Hat Satellite 6.3 or newer
Issue
- After an upgrade of Satellite 6, Capsule sync fails and seeing the following error from logs.
Mar 1 14:31:06 mycap01 pulp: celery.beat:ERROR: beat: Connection error: ("Connection hostname 'localhost' does not match names from peer certificate: ['satellite.example.com', u'satellite.example.com']",). Trying again in 12.0 seconds...
Mar 1 14:31:06 mycap01 pulp: celery.worker.consumer:ERROR: (3029-31488) consumer: Cannot connect to qpid://localhost:5671//: ("Connection hostname 'localhost' does not match names from peer certificate: ['satellite.example.com', u'satellite.example.com']",).
Mar 1 14:31:06 mycap01 pulp: celery.worker.consumer:ERROR: (3029-31488) Trying again in 12.00 seconds...
Mar 1 14:31:06 mycap01 pulp: celery.worker.consumer:ERROR: (3029-31488)
- Upgraded Capsule content sync fails with 'Pulp message bus connection issue'.
Resolution
-
Generate new Capsule certificate on Red Hat Satellite server as follows and activate it on the Capsule:
-
For Capsule Server with a Default Server Certificate:
# capsule-certs-generate --foreman-proxy-fqdn mycapsule.example.com \ --certs-tar mycapsule.example.com-certs.tar --certs-update-all
-
For Capsule Server with a Custom Server Certificate:
# capsule-certs-generate --foreman-proxy-fqdn capsule.example.com \ --certs-tar /root/capsule_cert/capsule_certs.tar \ --server-cert /root/capsule_cert/capsule_cert.pem \ --server-cert-req /root/capsule_cert/capsule_cert_csr.pem \ --server-key /root/capsule_cert/capsule_cert_key.pem \ --server-ca-cert /root/sat_cert/ca_cert_bundle.pem \ --certs-update-server --certs-update-all
-
-
Refer: 2.7.2. Configuring Capsule Server with a Custom SSL Certificate.
Note: Do not remove--certs-update-all
option from the above command. -
Copy the archive file to the Capsule Server:
# scp mycapsule.example.com-certs.tar mycapsule.example.com:~/
-
Perform the certificates upgrade by running the
satellite-installer
command as specified in output ofcapsule-certs-generate
. -
Similar issue can also be observed if only satellite or capsule is running with custom SSL certs while the other has default certs.
For more KB articles/solutions related to Red Hat Satellite 6.x Capsule Sync Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Capsule Sync Issues
Root Cause
- Incomplete Capsule upgrade causes hostname change from
capsule.example.com
tolocalhost
.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments