Using RHEL mock chroots with subscription manager: SSL certificate error

Hello.

I followed Feature RHEL chroots | Mock a while back and everything worked well.

Suddenly, I get:

$ mock -r rhel-8-x86_64 init
...
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Red Hat Enterprise Linux - BaseOS               2.6 kB/s | 465  B     00:00    
Errors during downloading metadata for repository 'rhel-baseos':
  - Status code: 403 for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os/repodata/repomd.xml (IP: 2.16.30.83)
Error: Failed to download metadata for repo 'rhel-baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

This is with mock-5.9-1.fc41 and mock-core-configs-41.4-1.fc41.

I guess something has perhaps expired?

$ sudo subscription-manager register
...
This system is already registered. Use --force to override

$ sudo subscription-manager register --force
Unregistering from: subscription.rhsm.redhat.com:443/subscription
Unknown server reply (HTTP error code 400: Bad Request):
<html><13>
<head><title>400 The SSL certificate error</title></head><13>
<body><13>
<center><h1>400 Bad Request</h1></center><13>
<center>The SSL certificate error</center><13>
<hr><center>openresty</center><13>
</body><13>
</html><13>

Am I doing something wrong, or is this a problem in RH infrastructure?

subscription.rhsm.redhat.com shows SEC_ERROR_UNKNOWN_ISSUER in my browser (so does cdn.redhat.com).

I thinks so, Firefox error message displays the following Information:

What can you do about it?

The issue is most likely with the website, and there is nothing you can do to resolve it.

If you are on a corporate network or using antivirus software, you can reach out to the support teams for assistance. You can also notify the website’s administrator about the problem.

Just now:

$ sudo subscription-manager register --force
Registering to: subscription.rhsm.redhat.com:443/subscription
Username: XXXX
Password: 
The system has been registered with ID: XXXX
The registered system name is: XXX

If it does not work for you, open RedHat ticket.

Thanks for trying.

No, I still have:

Unknown server reply (HTTP error code 400: Bad Request):
<html><13>
<head><title>400 The SSL certificate error</title></head><13>
<body><13>
<center><h1>400 Bad Request</h1></center><13>
<center>The SSL certificate error</center><13>
<hr><center>openresty</center><13>
</body><13>
</html><13>

Weird. I opened a ticket :confused:

You can test that TLS using openssl s_client -connect subscription.rhsm.redhat.com:443 that shows there is an issue with the certificate.

I f41 here is what I got.

openssl s_client -connect subscription.rhsm.redhat.com:443
Connecting to 209.132.178.16
CONNECTED(00000003)
depth=1 C=US, ST=North Carolina, O=Red Hat, Inc., OU=Red Hat Network, CN=Red Hat Entitlement Operations Authority, emailAddress=ca-support@redhat.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=US, ST=North Carolina, O=Red Hat, Inc., OU=Red Hat Subscription Management, CN=subscription.rhsm.redhat.com, emailAddress=ca-support@redhat.com
verify return:1

I experienced something like this in a rhel9 vm with a developer subscription. At that point, no “status”, “unregister” or “clean” would work with the subscription manager. I"m not 100% sure how I got it back to work, but it involved “renewing” the developer subscription (i.e. getting a new one). I think once it’s expired long enough, nothing works any more, not even status commands, which is suboptimal. (I use it to check my epel packaging, this the long periods of inactivity.)

1 Like

The subscription-manager-rhsm-certificates package is already installed and the trust anchor ... command makes no difference.

OK, this seems to have helped:

$ sudo subscription-manager clean
All local data removed
$ sudo subscription-manager register 
Registering to: subscription.rhsm.redhat.com:443/subscription
Username: ...
...
$ mock -r rhel-8-x86_64 init
...

I must say, this experience is quite weird.

1 Like