Red Hat Satellite 6: Capsule sync fails with error Connection hostname 'localhost' does not match names from peer certificate.

Solution Verified - Updated -

Environment

  • Red Hat Satellite 6.3

Issue

  • After upgrade fromRed Hat Satellite 6.2 to 6.3, Capsule sync fails and seeing the following error from logs.
        Mar  1 14:31:06 blrhcap01 pulp: celery.beat:ERROR: beat: Connection error: ("Connection hostname 'localhost' does not match names from peer certificate: ['satellite.example.com', u'satellite.example.com']",). Trying again in 12.0 seconds...
        Mar  1 14:31:06 blrhcap01 pulp: celery.worker.consumer:ERROR: (3029-31488) consumer: Cannot connect to qpid://localhost:5671//: ("Connection hostname 'localhost' does not match names from peer certificate: ['satellite.example.com', u'satellite.example.com']",).
        Mar  1 14:31:06 blrhcap01 pulp: celery.worker.consumer:ERROR: (3029-31488) Trying again in 12.00 seconds...
        Mar  1 14:31:06 blrhcap01 pulp: celery.worker.consumer:ERROR: (3029-31488)
  • Upgraded Capsule content sync fails with 'Pulp message bus connection issue'.

Resolution

  • Generate new Capsule certificate on Red Hat Satellite server as follows and activate it on the Capsule.

    • For Capsule Server with a Default Server Certificate:

       # capsule-certs-generate --foreman-proxy-fqdn mycapsule.example.com \
      --certs-tar mycapsule.example.com-certs.tar --certs-update-all
      
    • For Capsule Server with a Custom Server Certificate:

      # capsule-certs-generate --foreman-proxy-fqdn capsule.example.com \
      --certs-tar  /root/capsule_cert/capsule_certs.tar \
      --server-cert /root/capsule_cert/capsule_cert.pem \
      --server-cert-req /root/capsule_cert/capsule_cert_csr.pem \
      --server-key /root/capsule_cert/capsule_cert_key.pem \
      --server-ca-cert /root/sat_cert/ca_cert_bundle.pem \
      --certs-update-server --certs-update-all
      
  • refer: 4.7.6. Configuring Capsule Server with a Custom Server Certificate.
    Note: Do not remove --certs-update-all option from the above command

  • Copy the archive file to the Capsule Server.

     # scp mycapsule.example.com-certs.tar mycapsule.example.com:~/
    
  • Perform the upgrade by running the installer script with the --upgrade option

    # satellite-installer --scenario capsule --upgrade \
    --foreman-proxy-content-certs-tar mycapsule.example.com-certs.tar \
    --certs-update-all --certs-regenerate true --certs-deploy true
    
  • See 2.4. Upgrading Capsule Servers to get more information on upgrading Capsule server.

  • Similar issue can also be observed if only satellite or capsule is running with custom SSL certs while the other has default certs.

Root Cause

  • Incomplete Capsule upgrade causes hostname change from Capsule.example.com to 'localhost'.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

3 Comments

This does not work for me, using custom certificates.

@West, with custom certs, you need to use below command to generate the capsule certificates on Satellite:

# capsule-certs-generate \
--foreman-proxy-fqdn mycapsule.example.com \ 
--certs-tar /root/capsule_cert/capsule_certs.tar \ 
--server-cert /root/capsule_cert/capsule_cert.pem \ 
--server-cert-req /root/capsule_cert/capsule_cert_csr.pem \ 
--server-key /root/capsule_cert/capsule_cert_key.pem \ 
--server-ca-cert /root/sat_cert/ca_cert_bundle.pem \ 
--certs-update-all

# satellite-installer --scenario capsule --upgrade \ --foreman-proxy-content-certs-tar mycapsule.example.com-certs.tar \ --certs-update-all --certs-regenerate true --certs-deploy true

It doesn't like this option: ERROR: Unrecognised option '--certs-regenerate' It doesn't like this option either: ERROR: Unrecognised option '--certs-deploy'