Clients are unable to connect with the Red Hat Satellite 6 server due to recent expired AddTrust Root CA certificates.

Solution Verified - Updated -

Issue

  • Running any subscription-manager or yum command on content hosts registered with Red Hat Satellite fails with following error:

    [Errno 14] curl#58 - "SSL peer rejected your certificate as expired.
    or
    Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
    
  • Hammer command on Satellite fails with following error:

    Make sure you configured the correct URL and have the server's CA certificate installed on your system.
    
    The following configuration option were used for the SSL connection:
     ssl_ca_file = /etc/pki/katello/certs/katello-server-ca.crt
    
    Make sure the location contains an unexpired and valid CA certificate for https://satellite.example.com
    
  • Login into Satellite or performing any operation in Satellite (like creating a new Subnet) fails with following error:

    SSL certificate verification failed
    Make sure you configured the correct URL and have the server's CA certificate installed on your system.
    The following configuration option were used for the SSL connection:
    ssl_ca_file = /etc/pki/katello/certs/katello-server-ca.crt
    
  • How to update or replace old expired certificates on Satellite 6?

  • Is there any way to check the expired Certificate Authority(CA) certificates in satellite 6?

Environment

  • Red Hat Satellite 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In