update-ca-certificates fails to complete due to existing /var/lib/ca-certificates/ca-bundle.pem.tmp
This document (000021252) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
Public Cloud
Public Cloud
Situation
When running update-ca-certificates or registercloudguest (which runs update-ca-certificates), they will fail to complete due to an existing file:
/var/lib/ca-certificates/ca-bundle.pem.tmp
/var/lib/ca-certificates/ca-bundle.pem.tmp
Resolution
Delete /var/lib/ca-certificates/ca-bundle.pem.tmp:
rm /var/lib/ca-certificates/ca-bundle.pem.tmp
Cause
The issue is currently in development to determine the root cause.
Additional Information
This bug may cause PAYG registration failures.
TLS certificates for the Public Cloud RMTs (update servers) were updated by the Public Cloud team between March and September 2023.
Update server certificates are added to a SLES instance's list of trusted certificates, ca-bundle.pem, programmatically via the registercloudguest script.
This bug causes the update-ca-certificate call made by registercloudguest to fail. As a result, the new certificate is not added to ca-bundle.pem,
One can prove this issue on an impacted workload by running the following command where IP_ADDRESS is the IP of the RMT (update) server:
This can be resolved by removing the ca-bundle.pem.tmp and running registercloudguest --force-new again.
TLS certificates for the Public Cloud RMTs (update servers) were updated by the Public Cloud team between March and September 2023.
Update server certificates are added to a SLES instance's list of trusted certificates, ca-bundle.pem, programmatically via the registercloudguest script.
This bug causes the update-ca-certificate call made by registercloudguest to fail. As a result, the new certificate is not added to ca-bundle.pem,
One can prove this issue on an impacted workload by running the following command where IP_ADDRESS is the IP of the RMT (update) server:
# openssl s_client -connect IP_ADDRESS:443 </dev/null 2>/dev/null |grep -i verif
Verify return code: 21 (unable to verify the first certificate)
This can be resolved by removing the ca-bundle.pem.tmp and running registercloudguest --force-new again.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021252
- Creation Date: 29-Oct-2023
- Modified Date:19-Dec-2023
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
