Error "no certificate or crl found" reported when using a http proxy for content syncing or manifest-related operations in Satellite 6.12

Solution Verified - Updated -


  • Red Hat Satellite 6.12.0


In Satellite 6.12, after creating an http proxy and setting it as Default HTTP Proxy, Two fundamental functions are found to be broken:

  • Accessing the Satellite WebUI --> Content --> Subscriptions page results in an error no certificate or crl found.

  • Accessing the Satellite WebUI --> Content --> Red Hat Repositories page and expanding any repository-set results in a No Repositories available message.

  • And due to the same, trying to synchronize any existing repository or refreshing the satellite manifest will fail as well.


  • This issue has been reported to the Red Hat Engineering team via Bugzilla 2144044 and has been fixed in Red Hat Satellite 6.12.1.

  • To resolve this issue,

    • For 6.12.0, please follow the process as described in comment 6 of the bug and apply the hotfix on the affected satellite server.

    • Otherwise, simply update to Red Hat Satellite 6.12.1.

  • Reach out to Red Hat Technical Support in case of any further clarification would be required.

Diagnostic Steps

  • Accessing the Content --> Subscriptions page resutls in the following traceback inside /var/log/foreman/production.log file.

    2022-11-19T00:11:19 [E|app|ee15f1b2] Katello::HttpErrors::BadRequest: no certificate or crl found
    ee15f1b2 | /usr/share/gems/gems/katello- `rescue in check_upstream_connection'
    ee15f1b2 | /usr/share/gems/gems/katello- `check_upstream_connection'
    ee15f1b2 | /usr/share/gems/gems/activesupport- `block in make_lambda'
    ee15f1b2 | /usr/share/gems/gems/activesupport- `block (2 levels) in halting'
    ee15f1b2 | /usr/share/gems/gems/actionpack- `block (2 levels) in <module:Callbacks>'
    ee15f1b2 | /usr/share/gems/gems/activesupport- `block in halting'
    ee15f1b2 | /usr/share/gems/gems/activesupport- `block in invoke_before'
  • Accessing the Content --> Red Hat Repositories page and trying enable any repository from there will result in the following traceback in the same file.

    2022-11-19T00:12:25 [E|bac|8732f73b] no certificate or crl found (OpenSSL::X509::StoreError)
    8732f73b | /usr/share/foreman/lib/foreman/util.rb:37:in `add_file'
    8732f73b | /usr/share/foreman/lib/foreman/util.rb:37:in `block in add_ca_bundle_to_store'
    8732f73b | /usr/share/ruby/tempfile.rb:291:in `open'
    8732f73b | /usr/share/foreman/lib/foreman/util.rb:34:in `add_ca_bundle_to_store'
    8732f73b | /usr/share/gems/gems/katello- `initialize'
    8732f73b | /usr/share/gems/gems/katello- `new'
    8732f73b | /usr/share/gems/gems/katello- `create'
    8732f73b | /usr/share/gems/gems/katello- `cdn_resource'
    8732f73b | /usr/share/gems/gems/katello- `cdn_var_substitutor'
    8732f73b | /usr/share/gems/gems/katello- `fetch_results'
    8732f73b | /usr/share/gems/gems/katello- `run'

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


How to apply the fix attached to this solution?


I suggest you to not use the manual patch file but rather install the hotfix which is permanent in nature.

But if you insist on applying the patch fix manually, instead of the hotfix, I can share the steps.

-- Sayan