Unable to register RHEL system due to error curl: (77) error setting certificate file: /etc/rhsm/ca/redhat-uep.pem
Environment
- Red Hat Enterprise Linux (RHEL)
- Red Hat Subscription Manager (RHSM)
Issue
-
Unable to Register RHEL servers to Red Hat Customer Portal due to below error:
[root@RHELsystem]# subscription-manager register Registering to: subscription.rhsm.redhat.com:443/subscription Username: XXX Password: Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1147) -
System is unable to connect to URL
subscription.rhsm.redhat.comfor registration. Curl tests show below error:% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 209.132.178.16:443... * Connected to subscription.rhsm.redhat.com (209.132.178.16) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * error setting certificate file: /etc/rhsm/ca/redhat-uep.pem 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (77) error setting certificate file: /etc/rhsm/ca/redhat-uep.pem
Resolution
-
Verify that
/etc/rhsm/rhsm.confexists and points to a correct directory containing the CA certificate:# egrep "ca_cert_dir|repo_ca_cert" /etc/rhsm/rhsm.conf ca_cert_dir = /etc/rhsm/ca/ repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem -
Confirm whether the Red Hat's Root CA certificate file
redhat-uep.pemis present in the/etc/rhsm/cadirectory of the system and has correct permission 644:# ls -la /etc/rhsm/ca/ -rw-r--r--. 1 root root 7411 Jun 12 07:25 redhat-uep.pem -
In case the file is missing, copy the file from another RHEL system to the
/etc/rhsm/ca/directory of affected system and set the correct permissions and ownership:# chmod 644 /etc/rhsm/ca/redhat-uep.pem # chown root:root /etc/rhsm/ca/redhat-uep.pemNOTE: If another RHEL system is not available, open a support case with Red Hat.
-
After copying the file and setting the correct permissions, clean and re-register the affected system:
# mv /etc/pki/consumer/* /tmp # mv /etc/pki/entitlement/* /tmp # subscription-manager clean # subscription-manager register # subscription-manager refresh -
Check if system is registered and if it is able to list packages from Red Hat CDN:
# subscription-manager identity # subscription-manager status # yum clean all # yum repolist -v
Root Cause
- This error can occur if the CA cert
/etc/rhsm/ca/redhat-uep.pemis either missing, renamed or has the wrong permissions. - The
redhat-uep.pemfile is Red Hat's Root CA certificate which is responsible for establishing secure tunnel connections to Red Hat's Subscription services and CDN server.
Diagnostic Steps
-
Verify basic connectivity to subscription-manager URL
subscription.rhsm.redhat.comusing the curl command:# curl -v https://subscription.rhsm.redhat.com --cacert /etc/rhsm/ca/redhat-uep.pem -
Else, if sosreport is available, check below output:
$ cat sos_commands/subscription_manager/curl_-vv_https_..subscription.rhsm.redhat.com_443.subscription_--cacert_.etc.rhsm.ca.redhat-uep.pem % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 209.132.178.16:443... * Connected to subscription.rhsm.redhat.com (209.132.178.16) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * error setting certificate file: /etc/rhsm/ca/redhat-uep.pem 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (77) error setting certificate file: /etc/rhsm/ca/redhat-uep.pem
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments