SUSE Support

Here When You Need Us

SUSEConnect error: OpenSSL::SSL::SSLError: SSL_connect: certificate verify failed.

This document (7018477) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)
SUSE Linux Enterprise Server 12 Service Pack 4 (SLES 12 SP4)
SUSE Linux Enterprise Server 12 Service Pack 5 (SLES 12 SP5)

Situation

System has a proxy set but excluded for SMT (Subscription-Management Tool) or SCC (SUSE Customer Center) e.g. via NO_PROXY variable (e.g. system was previously upgraded from SLE 11 to SLE12).

When running the SUSEConnect command, a certificate error is displayed :
SSL verification failed: unable to get local issuer certificate
SUSEConnect error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed

When running "wget" or "curl" commands against the SMT server, the server does not report this error.

Resolution

White spaces and leading dots cannot be used in NO_PROXY.
 
The NO_PROXY settings can be changed via  "YaST" -> "Network Services" -> "Proxy", or by manually editing files.
 
When changing files manually, please edit the following two files :
/etc/sysconfig/proxy
NO_PROXY="localhost,127.0.0.1,suse.com"
/root/.curlrc
--noproxy "localhost,127.0.0.1,suse.com"

Finally, please ensure that /etc/hosts does not contain any entries for scc.suse.com or updates.suse.com.

Cause

The syntax for the NO_PROXY variable has changed.
 
Another cause for such issue may be a 3rd party application installed an alternative version of the OpenSSL libraries and alters the default file-system pointers/paths to the required version of the OpenSSL libraries. Please see (registration and updates fail due to curl: (59) failed setting cipher list: DEFAULT_SUSE

Additional Information

"unable to get local issuer certificate" could also indicate that there is a transparent proxy / network filter solution. As it works transparent for the server the only indication is a different certificate is retrieved than the original one:
 
echo|openssl s_client -connect scc.suse.com:443|head -n 10

 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7018477
  • Creation Date: 11-Jan-2017
  • Modified Date:07-May-2024
    • Subscription Management Tool
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.