SMT - Client shows error "SSL verification failed".

This document (7022878) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
Subscription Management Tool 12
Subscription Management Tool 11

Situation

A SLES client system that is currently registered against a SMT is getting errors while refreshing the repositories or when a new Client is getting registered returns the following error :
SSL verification failed: certificate has expired
and / or :
SUSEConnect error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed

Resolution

The first step is to check the status of the SMT certificates (the CA and the Server certificates) and check if are still valid or expired.

In order to get the details of the CA certificate, open a terminal session as 'root'  on the SMT server and run:
openssl x509 -in /var/lib/CAM/YaST_Default_CA/cacert.pem -text

To get the details of the Server certificate, run:

(Note : If the Server certificate was recreated in the past, then there will be more than just one pem file inside the /var/lib/CAM/YaST_Default_CA/certs/ location, the standard names start from 01.pem, and onward. Please check the content of the mentioned directory and be sure to select the latest one for the following command)
openssl x509 -in /var/lib/CAM/YaST_Default_CA/certs/01.pem -text

The output of both above commands, at the top, will show lines like these:
Validity
  Not Before: Nov 28 09:34:26 2008 GMT
  Not After : Nov 28 09:34:26 2009 GMT
 
In the "Not After" line, the date should be in the future of the current date. When this is not the case, the certificate is expired and should be recreated by following the instructions in TID #7006024

Once the expired certificate is recreated, run both above commands again, and verify the dates, as well as double check that the CA certificate was properly exported to file /srv/www/htdocs/smt.crt by running the following command as root:
openssl verify -CAfile /srv/www/htdocs/smt.crt /etc/ssl/servercerts/servercert.pem

The above command should show:
/etc/ssl/servercerts/servercert.pem: OK

If not OK, then something went wrong and the certificates do not match, go back to TID #7006024 and repeat the steps under the title "Export the CA certificate to the smt.crt file".

IMPORTANT: As explained in TID #7006024, if only the Server certificate was expired and recreated then there is not need to re-register the Clients, but if the CA certificate was recreated then all Clients must be re-registered against the SMT to work properly. In order to re-register a Client agains the SMT server, first the Client must be de-register as explained in TID #7022119 and then register using the clientSetup4SMT.sh script as explained in the SMT official documentation.

Cause

In most cases the errors are caused by either expired and / or not matching certificates in the SMT server.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022878
  • Creation Date: 24-Apr-2018
  • Modified Date:15-Nov-2022
    • Subscription Management Tool

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center