Broken Certificate Chain prevents successful execution of Subscription-Manager Commands

Solution Verified - Updated -

Issue

Unable to successfully execute subscription-manager commands. Executing any subscription-manager command results in the following:

[root@###### ~]# subscription-manager refresh
Network error, unable to connect to server. Please see /var/log/rhsm/rhsm.log for more information.

When reviewing results from a curl to RHSM and the CDN, the output reveals the following:

Incorrect Certificate Chain

 0 s:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Subscription Management/CN=subscription.rhsm.redhat.com/emailAddress=ca-support@redhat.com
   i:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations  ! unable to get local issuer cer/emailAddress=ca-support@redhat.com
 1 s:/C=CA/ST=Ontario/L=Toronto/O=#######/OU=#######/CN=#######/emailAddress=###########
   i:/DC=local/DC=#######/CN=#########
  • The first certificate is corrupted. The issuer "i:" of the first certificate contains "! unable to get local issuer"
   i:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations  ! unable to get local issuer cer/emailAddress=ca-support@redhat.com
  • The second certificate in the chain is not from Red Hat, but from a different organization:
  1 s:/C=CA/ST=Ontario/L=Toronto/O=#######/OU=#######/CN=######/emailAddress=#############
   i:/DC=local/DC=#######/CN=#########

Correct Certificate Chain

The chain of trust for the "subscription.rhsm.redhat.com" certificate should look like this:

Certificate chain
 0 s:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Subscription Management/CN=subscription.rhsm.redhat.com/emailAddress=ca-support@redhat.com
   i:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
 1 s:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com

Environment

  • Red Hat Enterprise Linux

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content