Updating connection failed client cert
It is not intended to help with writing applications and thus does not care about specific API's etc.But it should help with problems outside of a specific API, like different or broken SSL stacks or misconfigurations.The guide is based on the knowledge gained as the maintainer of the IO:: Socket:: SSL Perl module or by debugging SSL problems at work or for fun.Unfortunatly SSL/TLS is a hard to debug protocol because: These kind of problems are not obvious, because everything seems to work fine.Since updates must be done offline until your registration is successful, you can do the following: Note If you have another server running rhel 6 or higher you can use yumdownloader Before you can do this, on a similar system running Red Hat 6 run the yumdownloader command.The example below shows a certain version, the package number will increase based on time.
For RHSM, you will need to allow TCP traffic over port 443 with the following Internet resources: Be sure your local network has the routes and SSL proxy rules it needs to connect.
HTTPS inspection by firewalls/proxies is known to cause these sorts of problems with subscription-manager.
As can re-signing SSL communications (similar to man-in-the-middle attack).
# mkdir /tmp/python-rhsm;cd /tmp/python-rhsm # yumdownloader --resolve subscription-manager\* Then scp the folder tar -czvf /tmp/python-rhsm/gz /tmp/python-rhsm scp /tmp/gz [email protected]:/tmp/ # yum remove python-rhsm # ls -la /tmp/gz # mkdir -p /tmp/python-rhsm # tar -zxvf gz cd into this directory # yum install yum install python-rhsm-1.14.3-1.el6.x86_64 subscription-manager-1.14.10-1.el6.x86_64subscription-manager-firstboot-1.14.10-1.el6.x86_64subscription-manager-gui-1.14.10-1.el6.x86_64# openssl s_client -connect redhat.com:443 -CAfile /usr/share/rhn/RHNS-CA-CERT CONNECTED(00000003) 139883445217096:error:140790E5: SSL routines: SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 309 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- # curl -v -u rhnusername --cacert /etc/rhsm/ca/https://redhat.com/subscription/users/rhnusername/owners Enter host password for user 'rhnusername': * About to connect() to port 443 (#0) * Trying 126.96.36.199...
connected * Connected to (188.8.131.52) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/rhsm/ca/CApath: none * Issuer certificate is invalid: '[email protected], CN=redhat.com, OU=Red Hat Network, O="Red Hat, Inc.", ST=North Carolina, C=US' * NSS error -8156 * Closing connection #0 * Peer certificate cannot be authenticated with known CA certificates curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: