Why satellite-sync,rhn-register or yum fails with Error: The SSL certificate failed verification ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 5
  • Red Hat Satellite.

Issue

  • yum update fails with Error: The SSL certificate failed verification.
# yum check-update
Loaded plugins: rhnplugin, security
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
:
up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The SSL certificate failed verification.
  • Satellite-sync fails with The SSL certificate /usr/share/rhn/RHNS-CA-CERT failed verification

  • Satellite-sync fails with :

Error message: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

Resolution

  • Reinstall rhn-client-tools package from the installation DVD (under Packages folder) or download from Red Hat Network.

  • Check certificate validity

grep -C 2 Validity /usr/share/rhn/RHNS-CA-CERT
  • Disable Location Aware Update or add following 5 URLs to firewall settings:
    xmlrpc.rhn.redhat.com
    rhn.redhat.com

    content-xmlrpc.rhn.redhat.com
    content-web.rhn.redhat.com
    content-satellite.rhn.redhat.com

Root Cause

  • Existing rhn-client-tools package is corrupted.
  • There was firewall in between client-server and following 5 URLs were not added into firewall settings
xmlrpc.rhn.redhat.com
rhn.redhat.com
content-xmlrpc.rhn.redhat.com
content-web.rhn.redhat.com
content-satellite.rhn.redhat.com

Diagnostic Steps

  • Verify the date and time of the system is correct.

  • If the system is using http proxy then verify the proxy settings under the
    /etc/sysconfig/rhn/up2date file. enableProxy= httpProxy=

  • Edit the up2date file, to turn https off

# vi /etc/sysconfig/rhn/up2date 
Add 'useNoSSLForPackages=1'
Add 'noSSLServerURL[comment]=Remote server URL'
Add 'noSSLServerURL=http://xmlrpc.rhn.redhat.com/XMLRPC'
Save the file and check whether it helps to resolve the issue.
  • Result: Still issues "certificate verify failed" error:
  Error Downloading Packages:
  elfutils-devel-0.137-3.el5.x86_64: certificate verify failed
  nss-devel-3.12.10-7.el5_7.x86_64: certificate verify failed
  libselinux-devel-1.33.4-5.7.el5.x86_64: certificate verify failed
  :
  :
  • The CA certificate file has right permission such as below and can be read by programs:
  #  ll /usr/share/rhn/RHNS-CA-CERT 
     -rw-r--r-- 1 root root 8865 Mar 24  2010 /usr/share/rhn/RHNS-CA-CERT
  • Check if there is any network issue, check if you have the telnet installed with `rpm -qa | grep telnet'
    If telnet is not installed then you install the package using yum.
# yum install telnet -y

   # telnet xmlrpc.rhn.redhat.com 443
   Trying 209.132.183.44...
   Connected to xmlrpc.rhn.redhat.com
  • Test connection by re-registering the system and issuing tracert command at the same time on another terminal.
    Result: Unable to register the system if SSL is on
    System successfully tracerouted to redhat.com

  • Reinstall rhn-client-tools package.

# rpm -Uvh --test rhn-check-0.4.20.1-6.el5.noarch.rpm rhn-setup-0.4.20.1-6.el5.noarch.rpm rhn-setup-gnome-0.4.20.1-6.el5.noarch.rpm rhn-client-tools-0.4.20.1-6.el5.noarch.rpm yum-rhn-plugin-0.5.4.1-7.el5.noarch.rpm
Preparing...                ########################################### [100%]

# rpm -Uvh rhn-check-0.4.20.1-6.el5.noarch.rpm rhn-setup-0.4.20.1-6.el5.noarch.rpm rhn-setup-gnome-0.4.20.1-6.el5.noarch.rpm rhn-client-tools-0.4.20.1-6.el5.noarch.rpm yum-rhn-plugin-0.5.4.1-7.el5.noarch.rpmPreparing...                ########################################### [100%]
   1:rhn-client-tools       ########################################### [ 20%]
   2:rhn-setup              ########################################### [ 40%]
   3:yum-rhn-plugin         warning: /etc/yum/pluginconf.d/rhnplugin.conf created as /etc/yum/pluginconf.d/rhnplugin.conf.rpmnew
########################################### [ 60%]
   4:rhn-check              ########################################### [ 80%]
   5:rhn-setup-gnome        ########################################### [100%]
  • Check the date of /usr/share/rhn/RHNS-CA-CERT
# ls -la /usr/share/rhn/RHNS-CA-CERT
-rw-r--r-- 1 root root 8865 May  6  2013 /usr/share/rhn/RHNS-CA-CERT

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.