SMT - Client shows error "SSL verification failed".
This document (7022878) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 11
Subscription Management Tool 12
Subscription Management Tool 11
SSL verification failed: certificate has expiredand / or :
SUSEConnect error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
In order to get the details of the CA certificate, open a terminal session as 'root' on the SMT server and run:
openssl x509 -in /var/lib/CAM/YaST_Default_CA/cacert.pem -text
To get the details of the Server certificate, run:
(Note : If the Server certificate was recreated in the past, then there will be more than just one pem file inside the /var/lib/CAM/YaST_Default_CA/certs/ location, the standard names start from 01.pem, and onward. Please check the content of the mentioned directory and be sure to select the latest one for the following command)
openssl x509 -in /var/lib/CAM/YaST_Default_CA/certs/01.pem -text
The output of both above commands, at the top, will show lines like these:
ValidityIn the "Not After" line, the date should be in the future of the current date. When this is not the case, the certificate is expired and should be recreated by following the instructions in TID #7006024
Not Before: Nov 28 09:34:26 2008 GMT
Not After : Nov 28 09:34:26 2009 GMT
Once the expired certificate is recreated, run both above commands again, and verify the dates, as well as double check that the CA certificate was properly exported to file /srv/www/htdocs/smt.crt by running the following command as root:
openssl verify -CAfile /srv/www/htdocs/smt.crt /etc/ssl/servercerts/servercert.pem
The above command should show:
If not OK, then something went wrong and the certificates do not match, go back to TID #7006024 and repeat the steps under the title "Export the CA certificate to the smt.crt file".
IMPORTANT: As explained in TID #7006024, if only the Server certificate was expired and recreated then there is not need to re-register the Clients, but if the CA certificate was recreated then all Clients must be re-registered against the SMT to work properly. In order to re-register a Client agains the SMT server, first the Client must be de-register as explained in TID #7022119 and then register using the clientSetup4SMT.sh script as explained in the SMT official documentation.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7022878
- Creation Date: 24-Apr-2018
- Modified Date:15-Nov-2022
- Subscription Management Tool
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com