Red Hat Satellite 6: Capsule sync fails with error Connection hostname 'localhost' does not match names from peer certificate.

Solution Verified - Updated -

Environment

  • Red Hat Satellite 6.3 or newer

Issue

  • After an upgrade of Satellite 6, Capsule sync fails and seeing the following error from logs.
        Mar  1 14:31:06 mycap01 pulp: celery.beat:ERROR: beat: Connection error: ("Connection hostname 'localhost' does not match names from peer certificate: ['satellite.example.com', u'satellite.example.com']",). Trying again in 12.0 seconds...
        Mar  1 14:31:06 mycap01 pulp: celery.worker.consumer:ERROR: (3029-31488) consumer: Cannot connect to qpid://localhost:5671//: ("Connection hostname 'localhost' does not match names from peer certificate: ['satellite.example.com', u'satellite.example.com']",).
        Mar  1 14:31:06 mycap01 pulp: celery.worker.consumer:ERROR: (3029-31488) Trying again in 12.00 seconds...
        Mar  1 14:31:06 mycap01 pulp: celery.worker.consumer:ERROR: (3029-31488)
  • Upgraded Capsule content sync fails with 'Pulp message bus connection issue'.

Resolution

  • Generate new Capsule certificate on Red Hat Satellite server as follows and activate it on the Capsule:

    • For Capsule Server with a Default Server Certificate:

       # capsule-certs-generate --foreman-proxy-fqdn mycapsule.example.com \
--certs-tar mycapsule.example.com-certs.tar --certs-update-all

    • For Capsule Server with a Custom Server Certificate:

      # capsule-certs-generate --foreman-proxy-fqdn capsule.example.com \
--certs-tar  /root/capsule_cert/capsule_certs.tar \
--server-cert /root/capsule_cert/capsule_cert.pem \
--server-cert-req /root/capsule_cert/capsule_cert_csr.pem \
--server-key /root/capsule_cert/capsule_cert_key.pem \
--server-ca-cert /root/sat_cert/ca_cert_bundle.pem \
--certs-update-server --certs-update-all

  • Refer: 2.7.2. Configuring Capsule Server with a Custom SSL Certificate.
    Note: Do not remove --certs-update-all option from the above command.

  • Copy the archive file to the Capsule Server:

     # scp mycapsule.example.com-certs.tar mycapsule.example.com:~/

  • Perform the certificates upgrade by running the satellite-installer command as specified in output of capsule-certs-generate.

  • Similar issue can also be observed if only satellite or capsule is running with custom SSL certs while the other has default certs.

For more KB articles/solutions related to Red Hat Satellite 6.x Capsule Sync Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Capsule Sync Issues

Root Cause

  • Incomplete Capsule upgrade causes hostname change from capsule.example.com to localhost.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments