*VM Still “Poisoned” After Moving to Public Network – Cert Issues with Subscription Manager (RHEL 9.5)*

Problem Summary

I’m running a Red Hat Enterprise Linux 9.5 virtual machine that was originally deployed inside my company’s internal environment. It was:

• Registered to a Red Hat Satellite server
• Behind a corporate proxy
• Likely configured with internal CA certificates and custom repo settings

I have since exported the VM and moved it to my local, clean internet connection — no proxy, no VPN, just a regular bridged or NAT internet setup.

However, when I try to use subscription-manager to register the system to a new account or just interact with Red Hat public infrastructure, I get this error:

Unable to verify server's identity: ... (or other SSL/TLS verification errors)

It behaves like the system still trusts or expects internal certs, or maybe it doesn’t trust the real Red Hat CDN certs anymore.

---

Diagnosis: What I Think is Going On

I suspect that the VM is still “poisoned” by the original corporate setup:

• The /etc/pki/ca-trust/ directory may still contain internal CAs injected by my company.
• subscription-manager might still have config files pointing to internal servers or proxies (e.g., /etc/rhsm/rhsm.conf).
• Package sources (/etc/yum.repos.d/*.repo) could be referencing now-inaccessible internal mirrors.
• I noticed this message when trying to reinstall CA certificates:

  Installed package ca-certificates-xxxxxx (from anaconda) not available.
  Error: No packages marked for reinstall.
  

This indicates the package came from the original ISO (via Anaconda), but now that the VM is outside the company network, it cannot refresh or validate certs from Red Hat’s public repos.

---

What I Don’t Want

I don’t want the system to:

• Validate internal TLS/SSL certs
• Try to reach internal Satellite servers
• Use proxy settings
• Assume it’s on a corporate network

---

What I Want

I just want a clean, public RHEL system that:

• Uses Red Hat’s public CDN (subscription.rhsm.redhat.com)
• Validates real/public TLS certs (not internal ones)
• Can register to a new subscription/account
• Can access default Red Hat repositories

---

Things I’ve Tried (So Far)

1. Cleaned RHSM system config:

sudo subscription-manager clean
sudo rm -rf /etc/rhsm /etc/pki/consumer /etc/pki/entitlement

2. Checked and reset /etc/rhsm/rhsm.conf

   • Ensured hostname = subscription.rhsm.redhat.com
   • Made sure ssl_verify = 1 (but also tried 0 temporarily for testing)

3. Removed all custom/injected CA certs:

sudo rm -f /etc/pki/ca-trust/source/anchors/*.crt
sudo update-ca-trust extract

4. Tried reinstalling ca-certificates:

sudo dnf reinstall ca-certificates

• But it says the package is “not available” (likely because no valid repo is configured or I’m not registered)

5. Deleted all .repo files under /etc/yum.repos.d/ that looked internal.

---

Questions I Have

• How can I fully reset the system’s trust store and RHSM state to match a clean, fresh RHEL install on a public network?
• Is there a better way to fully remove internal CA influence?
• Is there a way to refresh ca-certificates manually from a Red Hat mirror without registration?

---

System Info

• OS: RHEL 9.5
• Environment: KVM VM, now running outside company infra
• Internet: Direct connection (no proxy), NAT network
• Registration: Not currently registered to any account
• Repos: No working public repos right now

---

Let me know if logs or configs are needed — happy to post more info.

Thanks!

Restoring defaults

To restore defaults, you need to proceed in the following order:

• Repos
• Packages
• Files

But this may be tricky if you cannot sync with repos.

Repos

List enabled repos:

sudo dnf repolist

Ideally, keep only the official repos.
Disable repos that you don’t need.

Packages - Sync

Sync installed packages with repos:

sudo dnf distro-sync --allowerasing

Packages - Extras

List packages that don’t belong to enabled repos:

sudo dnf repoquery --extras

Ideally, the output should be empty.
Remove packages that you don’t need.
In any case, proceed carefully.

Files - Modified

Find modified files:

sudo rpm -V -a

The smaller the output, the better.

Files - Extras

List files not owned by installed packages:

sudo -i << EOI
grep -v -x -F -f <(rpm -q -a -l) \
<(find /etc/yum.repos.d /etc/pki /usr/share/pki)
EOI

Ideally, the output should be empty.
But some files are generated by scripts.
You cannot blindly remove them.

I’ve tried those commands but I’m not seeing any difference whenever I try to register to a new subscription manager I get the same SSL error, here is output of each command:
sudo dnf repolist

[root@centreon osadmin1]# dnf repolist
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.

repo id                         repo name
epel                            Extra Packages for Enterprise Linux 9 - x86_64
epel-cisco-openh264             Extra Packages for Enterprise Linux 9 openh264 (From Cisco)
rpmfusion-free-updates          RPM Fusion for EL 9 - Free - Updates
rpmfusion-nonfree-updates       RPM Fusion for EL 9 - Nonfree - Updates

[root@centreon osadmin1]#

sudo dnf distro-sync --allowerasing

> [root@centreon osadmin1]# dnf distro-sync --allowerasing
> Updating Subscription Management repositories.
> Unable to read consumer identity
> 
> This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
> 
> Last metadata expiration check: 3:56:26 ago on Fri 18 Apr 2025 10:28:09 AM CEST.
> Dependencies resolved.
> Nothing to do.
> Complete!
> [root@centreon osadmin1]#

sudo dnf repoquery --extras
Not sure to put the output here but i see a lot of them example:

As for:

> sudo rpm -V -a
there is a looooooot, for example these:

grep -v -x -F -f <(rpm -q -a -l) \
    <(sudo find /etc/yum.repos.d /etc/pki /usr/share/pki)

as for this i see the following result:

grep: /dev/fd/62 no such file or directory

for the PKI thing, I’m unsure which files to remove
this is result for the .crt files:

for the SSL/TLS errors the results of each command:

Local time: Fri 2025-04-18 14:29:50 CEST
Universal time: Fri 2025-04-18 12:29:50 UTC
RTC time: Fri 2025-04-18 12:29:50
Time zone: Europe/Paris (CEST, +0200)
System clock synchronized: no
NTP service: active
RTC in local TZ: no

systemctl status chronyd.service

● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled)
   Active: active (running) since Fri 2025-04-18 14:04:05 CEST; 26min ago
     Docs: man:chronyd(8)
           man:chronyc(1)
           man:chrony.conf(5)
 Main PID: 994 (chronyd)
   Tasks: 1 (limit: 40782)
   Memory: 2.3M
   CPU: 108ms
   CGroup: /system.slice/chronyd.service
           └─994 /usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)

Apr 18 14:04:05 centreon systemd[1]: Starting NTP client/server...
Apr 18 14:04:05 centreon chronyd[994]: chronyd version 4.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNC)
Apr 18 14:04:05 centreon chronyd[994]: Loaded 0 symmetric keys
Apr 18 14:04:05 centreon chronyd[994]: Using right/UTC timezone to obtain leap second data
Apr 18 14:04:05 centreon chronyd[994]: Frequency -33.378 +/- 0.538 ppm read from /var/lib/chrony/drift
Apr 18 14:04:05 centreon chronyd[994]: Loaded seccomp filter (level 2)
Apr 18 14:04:05 centreon systemd[1]: Started NTP client/server.

MS Name/IP address      Stratum Poll Reach LastRx Last sample
===============================================================================
Reference ID     : 00000000 ()
Stratum          : 0
Ref time (UTC)   : Thu Jan 01 00:00:00 1970
System time      : 0.000000016 seconds slow of NTP time
Last offset      : +0.000000000 seconds
RMS offset       : 0.000000000 seconds
Frequency        : 33.378 ppm slow
Residual freq    : +0.000 ppm
Skew             : 0.000 ppm
Root delay       : 1.000000000 seconds
Root dispersion  : 1.000000000 seconds
Update interval  : 0.0 seconds
Leap status      : Not synchronised

I just wanna be able to finally downloand anything I want as if this is a normal iso

Ive managed to register it by changing the registration through the vm while its still in the corporate cloud then exported it but now i’m getting this error:

I do have internet connection I’m in public connection but have no clue why this error again

and curl with -v gives this

so im guessing its a certificate problem, i need to reset the certficiates i guess old ones from companya re still being used, if so do i just follow what youve said earlier :

PKI

Remove CA certs correctly:

sudo trust anchor --remove /path/to/ca.crt
sudo rm -f /path/to/ca.crt
sudo update-ca-trust

I’ve gotten exact samre result as you but as soon as i type dnf update i get the error again

could it be because of old ca-certificates that are still installed in this vm from the old config of the company? because i see some ca-bundles like this:

I’m guessing I might need to delete the other two

but im not sure how to do it correclty, dont wanna find more problems again

I can’t even unregister I get the same error:

I have no clue what to do at this point

I was able to unregister and register again by disabling the ssl cert verification in the rhsm.conf file but then when I tried to dnf update i got this again

and the output of :

sudo subscription-manager status
sudo subscription-manager repos --list

gives:

as for the second command i see a lot of repos

I also copied the “.pem” file from a diffent server where everything works( redhat iso installed through google) to my server yet i still got the access rights error

I believe I fixed it, the problem was the katello-ca-consumer package, I removed it and everything related to it