Registration in SUSE Manager is aborted with SSL/certificate error.

This document (7018600) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Manager 3
SUSE Manager 2.1
SUSE Manager 1.7

Situation

When trying to register a client to SUSE Manager, the registration process is interrupted with an error similar to this one:

Retrieving repository 'repo_name'
Download (curl) error for 'https://susemanagerserver.yourdomain.net/XMLRC/GET-REQ/repo-name/repodata/repomd.xml?head_requests=no':
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Abort, retry, ignore? [a/r/i/?] (a):

This is likely to happen in an older, unsupported (or supported by LTSS) version of SLES, for instance, SLES 11 SP3 or older. It can also happen in newer (even supported) versions, after a migration from SUSE Manager 2.1 to 3.0.

Resolution

Specially in the case of a migration, please make sure the bootstrap script has all the latest changes. If unsure, the easiest way to do it is by fully patching the SUSE Manager server and regenerating it, with (parameters can differ, depending on the needs):

mgr-bootstrap

Then, the script should be edited, doing the usual changes:

#exit 1

ACTIVATION_KEYS=1-xxxxxxxxx
ORG_GPG_KEY=ptf-gpg-pubkey-b37b98a9-5328792f.key,sle11-gpg-pubkey-307e3d54-53287cdc.key,res-gpg-pubkey-0182b964-4911a584.key,sle12-gpg-pubkey-39db7c82-510a966b.key,sle10-gpg-pubkey-9c800aca-53287d18.key,sle12-reserve-gpg-pubkey-50a3dd1c-50f35137.key

But this time, also the following lines should be changed to look like this:

ORG_CA_CERT=RHN-ORG-TRUSTED-SSL-CERT
ORG_CA_CERT_IS_RPM_YN=0

Should the following lines exist, they need to be commented (although updating the bootstrap script should have deleted them, so the following step wouldn't normally be needed ):

#echo "* removing TLS certificate used for bootstrap"
#echo " (will be re-added via salt state)"
#removeTLSCertificate

Additionally, and specially in the case of old unsupported releases, the following packages should be updated:

libopenssl0_9_8
libopenssl0_9_8-32bit
openssl
openssl-certs

Cause

The current bootstrap script has a section to remove the certificate and instead allow it to be salt maintained.
While this is a nice thought, right now it causes the issue described for traditional clients.

Outdated versions of openssl can also cause this SSL certificate error. Unless a newer version of openssl is installed, the problem cannot be bypassed.

Additional Information

Having a working SUSE Manager environment, the latest up to date versions for openssl packages can be easily fetched through the web-UI and copied to the SUSE Manager web server, in any subdirectory under the /srv/www/htdocs/pub/ tree. The "updates" channels should be used, or even better (if available), the "LTSS updates" channels. Any method that suits the environment best can be used (for example wget or scp) in order to copy the packages from the SUSE Manager Server to the affected client(s).

Regarding the openssl versions, similar errors are known to happen with SMT (Subscription Management Tool) or direct registration through suse_register. The solution is the same, however the way to get the updates can differ.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.