SUSE Support

Here When You Need Us

Could not handshake: Error in the certificate verification

This document (000021445) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Manager 4.3

Situation

When trying to add new Ubuntu 20.04.06 LTS hosts to SUMA (both through the command line in the client and in the webUI), it only works by disabling the use of "ca-certificates" in /etc/ssl/certs/. Error seen:
 
ERROR SUMMARY:
Err:3 https://suma/pub/repositories/ubuntu/20/4/bootstrap bootstrap/main amd64 Packages
Certificate verification failed: The certificate is NOT trusted. The received OCSP status response is invalid. Could not handshake: Error in the certificate verification. [IP: 10.250.0.196 443]
Ign:4 https://suma/pub/repositories/ubuntu/20/4/bootstrap bootstrap/main all Packages
Ign:5 https://suma/pub/repositories/ubuntu/20/4/bootstrap bootstrap/main Translation-pt_PT
Ign:6 https://suma/pub/repositories/ubuntu/20/4/bootstrap bootstrap/main Translation-en
Ign:7 https://suma/pub/repositories/ubuntu/20/4/bootstrap bootstrap/main Translation-pt
Ign:8 https://suma/pub/repositories/ubuntu/20/4/bootstrap bootstrap/main amd64 c-n-f Metadata
Ign:9 https://suma/pub/repositories/ubuntu/20/4/bootstrap bootstrap/main all c-n-f Metadata
Reading the package lists... Done
E: Failed to obtain https://suma/pub/repositories/ubuntu/20/4/bootstrap/dists/bootstrap/main/binary-amd64/Packages Certificate verification failed: The ificate is NOT trusted. The received OCSP status response is invalid. Could not handshake: Error in the certificate verification. [IP: xx 443]
E: Some index files failed to download. They were ignored or the old ones were used instead.
* going to install missing packages...
Reading the package lists... Done
Building dependency tree
Reading status information... Ready
E: Unable to find package venv-salt-minion
ERROR: Failed to install all missing packages.

CA-CERTIFICATE VALIDITY:
root@suma:/etc/ssl/certs# openssl x509 -in ca-certificates.crt -dates
notBefore=May 5 09:37:37 2011 GMT
notAfter=Dec 31 09:37:37 2030 GMT

Resolution

Disable the `SSLUseStapling` option for Apache2 on the SUSE Manager server. 

1. Navigate to `/etc/apache2/vhosts.d/vhost-ssl.conf` and change the `SSLUseStapling  off`.
2. Restart the spacewalk-services with "spacewalk-service restart".

Cause

OCSP Stapling is configured manually on the SUMA server.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021445
  • Creation Date: 07-May-2024
  • Modified Date:08-May-2024
    • SUSE Manager Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.