Katello - synchronize repo SSL error

repository synchronization failed

Expected outcome:

Foreman and Proxy versions:
Katello version

Other relevant data:
Scenario - I build foreman+katello in DMZ synchronized repos fine, servers are able to installed packages from this DMZ foreman instance. Now I want use new foreman+katello in PROD environment and it will use repositories server by foreman in DMZ. But when I start repo sync I will get RPM1004: Error retrieving metadata: A connection error occurred.

/var/log/messages ->
pulp: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (1): DMZ_KATELLO
pulp: nectar.downloaders.threaded:ERROR: Skipping requests to DMZ_KATELLO due to repeated connection failures: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822)
pulp: pulp.server.async.tasks:INFO: [902346bb] Task failed : [902346bb-e756-4855-b1aa-2579f1eac73e] : Error retrieving metadata: A connection error occurred

So there is problem in SSL, I need to “install” certificate on new katello to trust old katello server, but I am not able to find any relevant how-to.

thank for any reply :slight_smile:


Hi lubidl0, welcome to our forums.

To get the syncing working, you’ll need to configure content credentials for your new Foreman+Katello setup.

  1. On your source Katello (DMZ), go to Administer -> Organizations -> (Your Org) -> Primary and download the Debug Certificate.
  2. On your destination Katello (PROD), go to Content -> Content Credentials and create an SSL certificate with the Debug Certificate you downloaded previously.
  3. For the repositories you are syncing, select the Content Credential you just created as the SSL Client Cert and SSL Client Key.

Then you should be able to sync your repositories. Let us know if you have any more issues!

1 Like

Hello iballou, your how-to is functional and I can confirm it is working like a charm.
Thank you very much for your help!

Glad to hear! Also if you ever need quick support for Foreman, feel free to ask on #theforeman on freenode IRC as well.

1 Like


i was searching for something like this,

i have connected one is foreman+katello, i have another foreman+katello in a disconnected setup ,

i tried the method you suggested and still i am getting ssl error onl logs

nectar.downloaders.threaded:ERROR: Skipping requests to host1.example.com due to repeated connection failures: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)