SMT - Client shows error "SSL verification failed".

SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
Subscription Management Tool 12
Subscription Management Tool 11

A SLES client system that is currently registered against a SMT is getting errors while refreshing the repositories or when a new Client is getting registered returns the following error :

SSL verification failed: certificate has expired

and / or :

SUSEConnect error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed

The first step is to check the status of the SMT certificates (the CA and the Server certificates) and check if are still valid or expired.

In order to get the details of the CA certificate, open a terminal session as 'root'  on the SMT server and run:

openssl x509 -in /var/lib/CAM/YaST_Default_CA/cacert.pem -text

To get the details of the Server certificate, run:

(Note : If the Server certificate was recreated in the past, then there will be more than just one pem file inside the /var/lib/CAM/YaST_Default_CA/certs/ location, the standard names start from 01.pem, and onward. Please check the content of the mentioned directory and be sure to select the latest one for the following command)

openssl x509 -in /var/lib/CAM/YaST_Default_CA/certs/01.pem -text

The output of both above commands, at the top, will show lines like these:

Validity
  Not Before: Nov 28 09:34:26 2008 GMT
  Not After : Nov 28 09:34:26 2009 GMT
 

In the "Not After" line, the date should be in the future of the current date. When this is not the case, the certificate is expired and should be recreated by following the instructions in TID #7006024

Once the expired certificate is recreated, run both above commands again, and verify the dates, as well as double check that the CA certificate was properly exported to file /srv/www/htdocs/smt.crt by running the following command as root:

openssl verify -CAfile /srv/www/htdocs/smt.crt /etc/ssl/servercerts/servercert.pem

The above command should show:

/etc/ssl/servercerts/servercert.pem: OK

If not OK, then something went wrong and the certificates do not match, go back to TID #7006024 and repeat the steps under the title "Export the CA certificate to the smt.crt file".

IMPORTANT: As explained in TID #7006024, if only the Server certificate was expired and recreated then there is not need to re-register the Clients, but if the CA certificate was recreated then all Clients must be re-registered against the SMT to work properly. In order to re-register a Client agains the SMT server, first the Client must be de-register as explained in TID #7022119 and then register using the clientSetup4SMT.sh script as explained in the SMT official documentation.

In most cases the errors are caused by either expired and / or not matching certificates in the SMT server.