Why satellite-sync,rhn-register or yum fails with Error: The SSL certificate failed verification ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 5
  • Red Hat Satellite.

Issue

  • yum update fails with Error: The SSL certificate failed verification.
# yum check-update
Loaded plugins: rhnplugin, security
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
:
up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The SSL certificate failed verification.
  • Satellite-sync fails with The SSL certificate /usr/share/rhn/RHNS-CA-CERT failed verification

  • Satellite-sync fails with :

Error message: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

Resolution

  • Reinstall rhn-client-tools package from the installation DVD (under Packages folder) or download from Red Hat Network.

  • Check certificate validity

grep -C 2 Validity /usr/share/rhn/RHNS-CA-CERT
  • Disable Location Aware Update or add following 5 URLs to firewall settings:
    xmlrpc.rhn.redhat.com
    rhn.redhat.com

    content-xmlrpc.rhn.redhat.com
    content-web.rhn.redhat.com
    content-satellite.rhn.redhat.com
  • For Hosts migrated from RHN to RHSM, make sure the /etc/yum/pluginconf.d/rhnplugin.conf is disabled,
[root@localhost pluginconf.d]# vim rhnplugin.conf
[main]
enabled = 0
gpgcheck = 1

Refer the article for more details on a successful and complete migration.

Root Cause

  • Existing rhn-client-tools package is corrupted.
  • There was firewall in between client-server and following 5 URLs were not added into firewall settings
xmlrpc.rhn.redhat.com
rhn.redhat.com
content-xmlrpc.rhn.redhat.com
content-web.rhn.redhat.com
content-satellite.rhn.redhat.com

Diagnostic Steps

  • Verify the date and time of the system is correct.

  • If the system is using http proxy then verify the proxy settings under the
    /etc/sysconfig/rhn/up2date file. enableProxy= httpProxy=

  • Edit the up2date file, to turn https off

# vi /etc/sysconfig/rhn/up2date 
Add 'useNoSSLForPackages=1'
Add 'noSSLServerURL[comment]=Remote server URL'
Add 'noSSLServerURL=http://xmlrpc.rhn.redhat.com/XMLRPC'
Save the file and check whether it helps to resolve the issue.
  • Result: Still issues "certificate verify failed" error:
  Error Downloading Packages:
  elfutils-devel-0.137-3.el5.x86_64: certificate verify failed
  nss-devel-3.12.10-7.el5_7.x86_64: certificate verify failed
  libselinux-devel-1.33.4-5.7.el5.x86_64: certificate verify failed
  :
  :
  • The CA certificate file has right permission such as below and can be read by programs:
  #  ll /usr/share/rhn/RHNS-CA-CERT 
     -rw-r--r-- 1 root root 8865 Mar 24  2010 /usr/share/rhn/RHNS-CA-CERT
  • Check if there is any network issue, check if you have the telnet installed with `rpm -qa | grep telnet'
    If telnet is not installed then you install the package using yum.
# yum install telnet -y

   # telnet xmlrpc.rhn.redhat.com 443
   Trying 209.132.183.44...
   Connected to xmlrpc.rhn.redhat.com
  • Test connection by re-registering the system and issuing tracert command at the same time on another terminal.
    Result: Unable to register the system if SSL is on
    System successfully tracerouted to redhat.com

  • Reinstall rhn-client-tools package.

# rpm -Uvh --test rhn-check-0.4.20.1-6.el5.noarch.rpm rhn-setup-0.4.20.1-6.el5.noarch.rpm rhn-setup-gnome-0.4.20.1-6.el5.noarch.rpm rhn-client-tools-0.4.20.1-6.el5.noarch.rpm yum-rhn-plugin-0.5.4.1-7.el5.noarch.rpm
Preparing...                ########################################### [100%]

# rpm -Uvh rhn-check-0.4.20.1-6.el5.noarch.rpm rhn-setup-0.4.20.1-6.el5.noarch.rpm rhn-setup-gnome-0.4.20.1-6.el5.noarch.rpm rhn-client-tools-0.4.20.1-6.el5.noarch.rpm yum-rhn-plugin-0.5.4.1-7.el5.noarch.rpmPreparing...                ########################################### [100%]
   1:rhn-client-tools       ########################################### [ 20%]
   2:rhn-setup              ########################################### [ 40%]
   3:yum-rhn-plugin         warning: /etc/yum/pluginconf.d/rhnplugin.conf created as /etc/yum/pluginconf.d/rhnplugin.conf.rpmnew
########################################### [ 60%]
   4:rhn-check              ########################################### [ 80%]
   5:rhn-setup-gnome        ########################################### [100%]
  • Check the date of /usr/share/rhn/RHNS-CA-CERT
# ls -la /usr/share/rhn/RHNS-CA-CERT
-rw-r--r-- 1 root root 8865 May  6  2013 /usr/share/rhn/RHNS-CA-CERT

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

9 Comments

this is helpful

glad to hear it helped!

So changing from https to http worked eliminates the error. What does that signify?

That you are no longer securely connecting to xmlrpc.rhn.redhat.com. https is used for a secure/encrypted session to download content, http is not. Switching to http, from https just by-passed the issue, vs fixing it.

This is helpful! Thanks for the information.

So we connect insecure/cleartext to get registered. What steps need to be taken afterwards to be secure/encrypted again? Remove rhn-client-tools and resinstall? (Yes, we occasionally reregister systems.)

Glad it was useful, Jeff! If you're still having issues beyond the scope of this solution, I'd suggest asking the community on our Discussions area here or opening a support case with Red Hat.

This helped me fix a problem with RHEL6 - thanks.

If you've just changed your subscription configuration, be sure to check your yum plugins. “In particular, rhnplugin provides support for RHN Classic, and product-id and subscription-manager plug-ins provide support for the certificate-based Content Delivery Network (CDN).” When I disabled /etc/yum/pluginconf.d/rhnplugin.conf, the SSL errors went away.

Found this solution did not work for RHEL 6.6 and a Squid proxy

If I use http instead of https I get following error message
Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhel-x86_64-server-6. Please verify its path and try again