Unable to register SLES12 SP5 PAYG based Azure instance

This document (000021300) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise for SAP Applications 12 SP5
Microsoft Azure

Situation

Standard SLES and SLES for SAP workloads running SLES 12 SP5 are unable to connect to the PAYG update infrastructure and an Azure instance registration fails.

Force new registration of the Azure instance:

# registercloudguest --force-new

Afterwards the following errors are observed in "/var/log/cloudregister" - Example (truncated output):

2023-12-13 14:08:38,406 INFO:Forced new registration
2023-12-13 14:08:38,429 INFO:Clean current registration server: ('51.145.209.119', None)
2023-12-13 14:08:38,482 INFO:System successfully removed from update infrastructure
2023-12-13 14:08:38,483 INFO:Removing credentials: /etc/zypp/credentials.d/SCCcredentials
2023-12-13 14:08:38,484 INFO:No current registration server set.
2023-12-13 14:08:38,518 INFO:Region server arguments: ?regionHint=westeurope
2023-12-13 14:08:38,519 INFO:Using API: regionInfo
2023-12-13 14:08:38,534 INFO:Region server arguments: ?regionHint=westeurope
2023-12-13 14:08:38,534 INFO:Getting update server information, attempt 1
2023-12-13 14:08:38,534 INFO:    Using region server: 52.187.53.250
2023-12-13 14:08:39,190 INFO:Region server arguments: ?regionHint=westeurope
2023-12-13 14:08:39,686 INFO:Writing SMT rootCA: /etc/pki/trust/anchors
2023-12-13 14:08:39,721 INFO:Updating CA certificates: update-ca-certificates
2023-12-13 14:08:39,970 INFO:Modified /etc/hosts, added: 52.157.241.14    smt-azure.susecloud.net    smt-azure

2023-12-13 14:08:41,012 DEBUG:Starting new HTTPS connection (1): smt-azure.susecloud.net:443
2023-12-13 14:08:41,057 DEBUG:https://smt-azure.susecloud.net:443 "POST /connect/systems/products/migrations HTTP/1.1" 422 None
2023-12-13 14:08:41,292 ERROR:Registration with ('52.157.241.14', None) failed. Trying ('52.149.120.86', None)
2023-12-13 14:08:41,293 INFO:Clean current registration server: ('52.157.241.14', None)
2023-12-13 14:08:41,339 INFO:System successfully removed from update infrastructure
2023-12-13 14:08:41,341 INFO:Removing credentials: /etc/zypp/credentials.d/SCCcredentials
2023-12-13 14:08:41,341 INFO:Removing service: SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64.service
2023-12-13 14:08:41,342 INFO:No current registration server set.
2023-12-13 14:08:41,342 INFO:Modified /etc/hosts, added: 52.149.120.86    smt-azure.susecloud.net    smt-azure

2023-12-13 14:08:42,414 DEBUG:Starting new HTTPS connection (1): smt-azure.susecloud.net:443
2023-12-13 14:08:42,441 DEBUG:https://smt-azure.susecloud.net:443 "POST /connect/systems/products/migrations HTTP/1.1" 422 None
2023-12-13 14:08:42,663 ERROR:Registration with ('52.149.120.86', None) failed. Trying ('51.145.209.119', None)
2023-12-13 14:08:42,664 INFO:No current registration server set.
2023-12-13 14:08:42,664 INFO:Modified /etc/hosts, added: 51.145.209.119    smt-azure.susecloud.net    smt-azure

2023-12-13 14:08:42,987 ERROR:Baseproduct registration failed
2023-12-13 14:08:42,987 ERROR:    [1mRegistering system to registration proxy https://smt-azure.susecloud.net[22m
[1m
Updating system details on https://smt-azure.susecloud.net ...[22m
Error: Invalid system credentials, probably because the registered system was deleted in SUSE Customer Center. Check https://smt-azure.susecloud.net whether your system appears there. If it does not, please call SUSEConnect --cleanup and re-register this system.

2023-12-13 14:08:42,988 INFO:No current registration server set.

Executing "update-ca-certificates -v" throws an error:

sles-sap-12-sp5-gen2:~ # update-ca-certificates -v
running /usr/lib/ca-certificates/update.d/50java.run ...
creating /var/lib/ca-certificates/java-cacerts ...
running /usr/lib/ca-certificates/update.d/70openssl.run ...
creating /var/lib/ca-certificates/openssl ...
running /usr/lib/ca-certificates/update.d/80etc_ssl.run ...
p11-kit: unsupported or unrecognized format: pem-directory-hash
Died at /usr/lib/ca-certificates/update.d/80etc_ssl.run line 87.
running /usr/lib/ca-certificates/update.d/99certbundle.run ...

The time stamp of directory "/var/lib/ca-certificates/pem/" was not updated:

sles-sap-12-sp5-gen2:/var/lib/ca-certificates # ll
total 392
-rw-r--r-- 1 root root 213114 Dec 13 14:35 ca-bundle.pem
-r--r--r-- 1 root root 157925 Dec 13 14:35 java-cacerts
dr-xr-xr-x 2 root root  20480 Dec 13 14:35 openssl
dr-xr-xr-x 2 root root      6 Mar 15  2022 pem

Verify both symbolic links - Note: Correct symbolic links are shown:


sles-sap-12-sp5-gen2:~ # ll /etc/ssl/ca-bundle.pem lrwxrwxrwx 1 root root 38 Dec 11 09:06 /etc/ssl/ca-bundle.pem -> /var/lib/ca-certificates/ca-bundle.pem sles-sap-12-sp5-gen2:~ # ll /etc/ssl/certs lrwxrwxrwx 1 root root 28 Dec 11 09:06 /etc/ssl/certs -> /var/lib/ca-certificates/pem

Verify "pem" directory if it contains the hash symlinks - Note: Example output is missing the hash symlinks:

sles-sap-12-sp5-gen2:/var/lib/ca-certificates # ls -lua *.0 pem/
ls: cannot access '*.0': No such file or directory
ls: cannot access 'pem/': No such file or directory

Use "strace" while updating system CA certificates:

sles-sap-12-sp5-gen2:/var/lib/ca-certificates # strace -o strace-update-ca-certificates.txt -f update-ca-certificates
p11-kit: unsupported or unrecognized format: pem-directory-hash
Died at /usr/lib/ca-certificates/update.d/80etc_ssl.run line 87.


sles-sap-12-sp5-gen2:/var/lib/ca-certificates # ll
total 1256
-rw-r--r-- 1 root root 213114 Dec 15 06:09 ca-bundle.pem
-r--r--r-- 1 root root 157925 Dec 15 06:09 java-cacerts
dr-xr-xr-x 2 root root  20480 Dec 15 06:09 openssl
-rw-r--r-- 1 root root 640569 Dec 15 06:09 strace-update-ca-certificates.txt

ISSUE: The strace output file "strace-update-ca-certificates.txt" shows a different path for the "trust" binary:

12107 execve("/usr/sbin/trust", ["trust", "extract", "--purpose=server-auth", "--filter=ca-anchors", "--format=pem-directory-hash", "-f", "/var/lib/ca-certificates/pem"], [/* 54 vars */]) = 0

Resolution

1- Verify if latest "p11-kit-tools" package version is installed which provides the "trust" binary file containing the code to create the hash symlink's - Note: The "trust" binary default path is shown:

sles-sap-12-sp5-gen2:/var/lib/ca-certificates # whereis trust
trust: /usr/bin/trust


sles-sap-12-sp5-gen2:~ # ll /usr/bin/trust 
-rwxr-xr-x 1 root root 171552 Dec 20 09:43 /usr/bin/trust


sles-sap-12-sp5-gen2:/var/lib/ca-certificates # rpm -qa p11-kit-tools
p11-kit-tools-0.23.2-8.10.1.x86_64

2- Force re-registration of the Azure instance:

sles-sap-12-sp5-gen2:~ # registercloudguest --force-new
Registration succeeded

Cause

The "trust" binary code is outdated and is not located in the default path.

Status

Top Issue

Additional Information

The "trust" binary is part of the "p11-kit-tools" package and the default path is "/usr/bin/trust".

Additional information's are shown at:

https://www.suse.com/support/update/announcement/2022/suse-ru-20221178-1/

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:000021300
Creation Date: 20-Dec-2023
Modified Date:21-Dec-2023
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com