Environment
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Desktop 10
Novell Open Enterprise Server 2 (OES 2)
Novell SUSE Linux Enterprise Desktop 10
Novell Open Enterprise Server 2 (OES 2)
Situation
While trying to register a client against a SMT server, the following error is experienced:
linux-client:~ # suse_register -a email=$EMAIL -a regcode-sles=$REGCODE Execute curl command failed with '60': curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: cURL - Details on Server SSL Certificates
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Resolution
This issue may be encountered if:
- Time and date of server and client differ
- The certificate got created on the server and time was adjusted afterwards so the certificate becomes invalid
- A server certificate was configured in the vhost setup for SMT but the public part of the CA in /srv/www/htdocs/smt.crt does not match the certificate
- The paths for the SSL directories in /etc/smt.d/vhost-ssl.conf do not match
- The common server certificate expired
Additional Information
How to address
Cause: Time and date of server differ
Use NTP (Network Time Protocol) to synchronize the time between server and client. To accomplish this use the YaST2 NTP module to setup a NTP client.
In case there is no local NTP server available, look up the public IP of a NTP server close to your location. Please note that it might take some time for the clients to synchronize with the server. Depending on the firewall configuration, the ports to communicate with an external NTP server might need to be adjusted.
Also check time and date settings of suse_register returns the following error:
[info] SEND DATA to URI: https://smt.office.domain/center/regsvc?command=listproducts&lang=en-US&version=1.0:
[error] ERROR: Peer certificate cannot be authenticated with known CA certificates: (60)
[error] (2)
Cause: Certificate was created before time was adjusted
Using the command
Cause: Time and date of server differ
Use NTP (Network Time Protocol) to synchronize the time between server and client. To accomplish this use the YaST2 NTP module to setup a NTP client.
In case there is no local NTP server available, look up the public IP of a NTP server close to your location. Please note that it might take some time for the clients to synchronize with the server. Depending on the firewall configuration, the ports to communicate with an external NTP server might need to be adjusted.
Also check time and date settings of suse_register returns the following error:
[info] SEND DATA to URI: https://smt.office.domain/center/regsvc?command=listproducts&lang=en-US&version=1.0:
[error] ERROR: Peer certificate cannot be authenticated with known CA certificates: (60)
[error] (2)
Cause: Certificate was created before time was adjusted
Using the command
openssl x509 -in <certificate file> -text
it is possible to check the validity of a certificate. The important part of the output is:
linux:/srv/www/htdocs # openssl x509 -in smt.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b0:4a:85:14:d2:33:86:c8
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, CN=YaST Default CA (linux)/emailAddress=postmaster@domain.site
Validity
Not Before: Nov 19 11:52:58 2008 GMT
Not After : Nov 17 11:52:58 2018 GMT
Subject: C=DE, CN=YaST Default CA (linux)/emailAddress=postmaster@domain.site
Subject Public Key Info:
Check the Validity section in the output of the openssl command if it matches.
linux:/srv/www/htdocs # openssl x509 -in smt.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b0:4a:85:14:d2:33:86:c8
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, CN=YaST Default CA (linux)/emailAddress=postmaster@domain.site
Validity
Not Before: Nov 19 11:52:58 2008 GMT
Not After : Nov 17 11:52:58 2018 GMT
Subject: C=DE, CN=YaST Default CA (linux)/emailAddress=postmaster@domain.site
Subject Public Key Info:
Check the Validity section in the output of the openssl command if it matches.
Also, use Yast | Security and Users | CA Managment to check the validity period of the server certificates, as the above command only checks the validity period of the CA.
Cause: Server certificate does not match CA
SMT stores a copy of the public part of the CA as smt.crt in /srv/www/htdocs. This copy is downloaded and used by the client to verify the SMT server.
In case a existing certificate was used to configure the Apache2 host, it might happen that the CA copy and certificate do not match.
Copy the appropriate part of the CA to /srv/www/htdocs/smt.crt and import it on the client using clientsetup4smt.sh.
Cause: Paths for SSL directories in /etc/smt.d/vhost-ssl.conf do not match
SMT stores a apache vhost-ssl.conf file in /etc/smt.d/. If the paths for the SSL certificates in this configuration file do not match the current paths (YaST-CA.pem in /etc/ssl/certs/ and servercert.pem and serverkey.pem in /etc/ssl/servercerts/ the suse_register command will compare the imported CA with a different certificate and fail.
In order to correct this either adjust the paths in /etc/smt.d/vhost-ssl-conf or restore the file from the latest smt RPM.
Cause: The common server certificate expired
Recreate the server certificate. Please see KB 7006024 - Howto recreate SMT11 CA and server certificate ( https://support.microfocus.com/kb/doc.php?id=7006024 ) for details. Attention: only the server certificate has to be recreated, not the CA!
Cause: Network environment uses a proxy server
The command "./clientSetup4SMT.sh --host SMT-FQDN" returns:
This issue may be experienced if the proxy is not properly configured on the system. Please use the YaST2 proxy module to configure the proxy settings and if necessary add an exclude for the SMT server.
Cause: Server certificate does not match CA
SMT stores a copy of the public part of the CA as smt.crt in /srv/www/htdocs. This copy is downloaded and used by the client to verify the SMT server.
In case a existing certificate was used to configure the Apache2 host, it might happen that the CA copy and certificate do not match.
Copy the appropriate part of the CA to /srv/www/htdocs/smt.crt and import it on the client using clientsetup4smt.sh.
Cause: Paths for SSL directories in /etc/smt.d/vhost-ssl.conf do not match
SMT stores a apache vhost-ssl.conf file in /etc/smt.d/. If the paths for the SSL certificates in this configuration file do not match the current paths (YaST-CA.pem in /etc/ssl/certs/ and servercert.pem and serverkey.pem in /etc/ssl/servercerts/ the suse_register command will compare the imported CA with a different certificate and fail.
In order to correct this either adjust the paths in /etc/smt.d/vhost-ssl-conf or restore the file from the latest smt RPM.
Cause: The common server certificate expired
Recreate the server certificate. Please see KB 7006024 - Howto recreate SMT11 CA and server certificate ( https://support.microfocus.com/kb/doc.php?id=7006024 ) for details. Attention: only the server certificate has to be recreated, not the CA!
Cause: Network environment uses a proxy server
The command "./clientSetup4SMT.sh --host SMT-FQDN" returns:
Do you accept this certificate? [y/n] y
Client setup finished.
Start the registration now? [y/n] y
/usr/bin/suse_register -i -L /root/.suse_register.log
There are no enabled services defined.
Use 'zypper addservice' or 'zypper modifyservice' commands to add or enable services.
There are no enabled repositories defined.
Use 'zypper addrepo' or 'zypper modifyrepo' commands to add or enable repositories.
ERROR: HTTP/1.1 200 Connection established
Accept-Ranges: none
Connection: Keep-Alive
(2)
ERROR: Peer certificate cannot be authenticated with known CA certificates: (60)
(2)
ERROR: Peer certificate cannot be authenticated with known CA certificates: (60)
(2)
Client setup finished.
Start the registration now? [y/n] y
/usr/bin/suse_register -i -L /root/.suse_register.log
There are no enabled services defined.
Use 'zypper addservice' or 'zypper modifyservice' commands to add or enable services.
There are no enabled repositories defined.
Use 'zypper addrepo' or 'zypper modifyrepo' commands to add or enable repositories.
ERROR: HTTP/1.1 200 Connection established
Accept-Ranges: none
Connection: Keep-Alive
(2)
ERROR: Peer certificate cannot be authenticated with known CA certificates: (60)
(2)
ERROR: Peer certificate cannot be authenticated with known CA certificates: (60)
(2)
This issue may be experienced if the proxy is not properly configured on the system. Please use the YaST2 proxy module to configure the proxy settings and if necessary add an exclude for the SMT server.