smt-ncc-scc-migration fails with curl error 60

This document (7016024) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Subscription Management Tool

Situation

NOTE regarding (SLE10 and SLE11 only):
Novell Customer Center (NCC) and nu.novell.com are not available anymore. SLE10 and SLE11 Systems still registered to the Novell Customer Center (NCC) can be migrated to the SUSE Customer Center (SCC) as outlined at:
SUSE Customer Center (SCC) enablement for SUSE Linux Enterprise Server 11


While in the process of migrating SMT from Novell Customer Center to SUSE Customer Center, the smt-ncc-scc-migration command returns the following curl error:

Connection to registration server failed with: 500 CURL ERROR(60) Peer certificate cannot be authenticated with known CA certificates
Failed to get product information from SCC. Migration is not possible.

Resolution

Please make sure access to *suse.com is allowed by firewall rules. As updates are distributed via a 3rd party proxy system to provide a better download experience, it is not advisable to restrict access to IP addresses as the operator of the systems may change them any time without notice.

Cause

In this particular environment the connection was established via a proxy but failed later on without obvious reason in /var/log/smt/smt-ncc-scc-migration. It turned out access to the respective website was forbidden by firewall rules.

Additional Information

Shortened example for a failed migration:

Checking if a migration is possible ...
get https://<user>:<secret>@scc.suse.com/connect/organizations/products/unscoped
* About to connect() to proxy <proxy> port 8888 (#0)
*   Trying <ip-addr>...
* connected
* Connected to <proxy> (<ip-addr>) port 8888 (#0)
* Establish HTTP proxy tunnel to scc.suse.com:443
* Server auth using Basic with user '<username>'
> CONNECT scc.suse.com:443 HTTP/1.1
Host: scc.suse.com:443
[...]
< HTTP/1.1 407 Proxy Authentication Required
[...]
* Received HTTP code 407 from proxy after CONNECT
* About to connect() to proxy <proxy> port 8888 (#0)
*   Trying <ip-addr>...
* connected
* Connected to <proxy>(<ip-addr>) port 8888 (#0)
* Establish HTTP proxy tunnel to scc.suse.com:443
[...]
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
60 Peer certificate cannot be authenticated with known CA certificates
$VAR1 = bless( {
                 '_content' => 'CURL ERROR(60) Peer certificate cannot be authenticated with known CA certificates
',
                 '_rc' => 500,
                 '_headers' => bless( {
                                        'client-warning' => 'Internal response',
                                        'client-date' => 'Thu, 18 Dec 2014 09:36:51 GMT',
                                        'content-type' => 'text/plain'
                                      }, 'HTTP::Headers' ),
                 '_msg' => 'CURL ERROR(60) Peer certificate cannot be authenticated with known CA certificates',
                 '_request' => bless( {
                                        '_content' => '',
                                        '_uri' => bless( do{\(my $o = 'https://<user>:<password>@scc.suse.com/connect/organizations/products/unscoped')}, 'URI::https' ),
                                        '_headers' => bless( {
                                                               'accept' => 'application/vnd.scc.suse.com.v4+json',
                                                               'smt' => '<smt-guid>'
                                                             }, 'HTTP::Headers' ),
                                        '_method' => 'GET'
                                      }, 'HTTP::Request' )
               }, 'HTTP::Response' );
Connection to registration server failed with: 500 CURL ERROR(60) Peer certificate cannot be authenticated with known CA certificates
Failed to get product information from SCC. Migration is not possible.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7016024
  • Creation Date: 02-Jan-2015
  • Modified Date:23-Dec-2021
    • Subscription Management Tool

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center