So your machine is not registered to your katello - otherwise the rhsm.conf should not have cdn.redhat.com as baseurl but the pulprepos and the url of your katello.
If your machine is registered at the moment, it is only registered to redhat but not your katello - so the certificates are not fitting to your katello
Ah, good catch. So let me register it with Katello. It was registred to redhat. I’ll let you know the update tomorrow
This may be handy Administering Foreman
@jtruestedt Still no luck. I registered my client machine to my katello in rhsm.conf and still getting the same error. Any idea?
File /var/lib/openscap/content/b7772a4001f865517e30762c406dee80fdab2100ecc010f4408519a979665f6e.xml is missing. Downloading it from proxy.
2:
Download SCAP content xml from: https://ingbtcpic6vl232.code1.emi.com:9090/compliance/policies/6/content/b7772a4001f865517e30762c406dee80fdab2100ecc010f4408519a979665f6e
3:
SCAP content is missing and download failed with error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
4:
Exit status: 5
This is my client rhsm.conf file
# Red Hat Subscription Manager Configuration File:
# Unified Entitlement Platform Configuration
[server]
# Server hostname:
hostname = ingbtcpic6vl232.code1.emi.com
#hostname = subscription.rhsm.redhat.com
# Server prefix:
prefix = /rhsm
#prefix = /subscription
# Server port:
port = 443
# Set to 1 to disable certificate validation:
insecure = 1
# Set the depth of certs which should be checked
# when validating a certificate
ssl_verify_depth = 3
# an http proxy server to use
proxy_hostname =
# The scheme to use for the proxy when updating repo definitions, if needed
# e.g. http or https
proxy_scheme = http
# port for http proxy server
proxy_port =
# user name for authenticating to an http proxy, if needed
proxy_user =
# password for basic http proxy auth, if needed
proxy_password =
# host/domain suffix blacklist for proxy, if needed
no_proxy =
[rhsm]
# Content base URL:
baseurl = https://ingbtcpic6vl232.code1.emi.com/pulp/repos
#baseurl = https://cdn.redhat.com
# Repository metadata GPG key URL:
repomd_gpg_url =
# Server CA certificate location:
ca_cert_dir = /etc/rhsm/ca/
# Default CA cert to use when generating yum repo configs:
repo_ca_cert = %(ca_cert_dir)skatello-server-ca.pem
#repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem
# Where the certificates should be stored
productCertDir = /etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer
# Manage generation of yum repositories for subscribed content:
manage_repos = 1
# Refresh repo files with server overrides on every yum command
full_refresh_on_yum = 1
# If set to zero, the client will not report the package profile to
# the subscription management service.
report_package_profile = 1
# The directory to search for subscription manager plugins
pluginDir = /usr/share/rhsm-plugins
# The directory to search for plugin configuration files
pluginConfDir = /etc/rhsm/pluginconf.d
# Manage automatic enabling of yum/dnf plugins (product-id, subscription-manager)
auto_enable_yum_plugins = 1
# Run the package profile on each yum/dnf transaction
package_profile_on_trans = 1
# Inotify is used for monitoring changes in directories with certificates.
# Currently only the /etc/pki/consumer directory is monitored by the
# rhsm.service. When this directory is mounted using a network file system
# without inotify notification support (e.g. NFS), then disabling inotify
# is strongly recommended. When inotify is disabled, periodical directory
# polling is used instead.
inotify = 1
[rhsmcertd]
# Interval to run cert check (in minutes):
certCheckInterval = 240
# Interval to run auto-attach (in minutes):
autoAttachInterval = 1440
# If set to zero, the checks done by the rhsmcertd daemon will not be splayed (randomly offset)
splay = 1
# If set to 1, rhsmcertd will not execute.
disable = 0
[logging]
default_log_level = INFO
# subscription_manager = DEBUG
# subscription_manager.managercli = DEBUG
# rhsm = DEBUG
# rhsm.connection = DEBUG
# rhsm-app = DEBUG
Attaching the logs from client machine. May be it can help
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - Traceback (most recent call last):
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib/python3.6/site-packages/katello/agent/goferd/plugin.py", line 186, in validate_registration
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - consumer = uep.getConsumer(consumer_id)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 1262, in getConsumer
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - return self.conn.request_get(method)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 882, in request_get
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - return self._request("GET", method, headers=headers, cert_key_pairs=cert_key_pairs)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 908, in _request
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - info=info, headers=headers, cert_key_pairs=cert_key_pairs)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 706, in _request
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - conn.request(request_type, handler, body=body, headers=final_headers)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/http/client.py", line 1254, in request
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - self._send_request(method, url, body, headers, encode_chunked)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/http/client.py", line 1300, in _send_request
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - self.endheaders(body, encode_chunked=encode_chunked)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/http/client.py", line 1249, in endheaders
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - self._send_output(message_body, encode_chunked=encode_chunked)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/http/client.py", line 1036, in _send_output
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - self.send(msg)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/http/client.py", line 974, in send
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - self.connect()
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/http/client.py", line 1422, in connect
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - server_hostname=server_hostname)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - _context=self, _session=session)
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/ssl.py", line 776, in __init__
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - self.do_handshake()
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - self._sslobj.do_handshake()
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
Sep 28 12:18:25 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - self._sslobj.do_handshake()
Sep 28 12:20:26 localhost goferd[384389]: [ERROR][Thread-3] katello.agent.goferd.plugin:195 - ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:897)
Sep 28 12:20:26 localhost goferd[384389]: [WARNING][Thread-3] katello.agent.goferd.plugin:132 - [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:897)
so you did not use the katello-consumer.rpm to configure your rhsm and to install the correct certificates
please go to your http://yourkatello/pub/ - there should be a katello-consumer-latest.rpm
Please install this rpm on your client-machine (this should install certificates and configure the /etc/rhsm/rhsm.conf), so that you are able to register with a valid activationkey
Tried. It failed.
Updating Subscription Management repositories.
Last metadata expiration check: 0:28:59 ago on Tue 28 Sep 2021 11:56:22 AM IST.
[MIRROR] katello-ca-consumer-latest.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
[MIRROR] katello-ca-consumer-latest.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
[MIRROR] katello-ca-consumer-latest.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
[MIRROR] katello-ca-consumer-latest.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
[FAILED] katello-ca-consumer-latest.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
Should I want to do subscription-manager unregister and then try installing? @jtruestedt
you can try with unregister or subscription-manager clean
is your error occuring when you try to download the katello-ca-consumer-latest.rpm? if so try to ignore the certificate check by using http instead of https or add the insecure-flag
Tried. Here are the results
[root@localhost ~]# rpm -qa | grep katello
katello-host-tools-3.5.4-3.el8.noarch
katello-agent-3.5.4-3.el8.noarch
katello-ca-consumer-ingbtcpic6vl176.code1.emi.com-1.0-1.noarch
And then I tried to follow these verification steps in subscription-manager commands fail with the error message: "Unable to verify server's identity: tlsv1 alert unknown ca" - Red Hat Customer Portal and here is the 404 error
[root@localhost ~]# openssl s_client -connect ingbtcpic6vl232.code1.emi.com:443 -CAfile /etc/rhsm/ca/katello-server-ca.pem -verify 3
verify depth is 3
CONNECTED(00000003)
depth=1 C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = ingbtcpic6vl232.code1.emi.philips.com
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = ingbtcpic6vl232.code1.emi.philips.com
verify return:1
depth=0 C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = ingbtcpic6vl232.code1.emi.philips.com
verify return:1
---
Certificate chain
0 s:C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = ingbtcpic6vl232.code1.emi.philips.com
i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = ingbtcpic6vl232.code1.emi.philips.com
1 s:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = ingbtcpic6vl232.code1.emi.philips.com
i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = ingbtcpic6vl232.code1.emi.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgIJALJhJFm2SdtnMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYD
VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MS4wLAYD
VQQDDCVpbmdidGNwaWM2dmwyMzIuY29kZTEuZW1pLnBoaWxpcHMuY29tMB4XDTIx
MDUyNjEzMzQyM1oXDTM4MDExODEzMzQyM1owfjELMAkGA1UEBhMCVVMxFzAV
BAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtT
b21lT3JnVW5pdDEuMCwGA1UEAwwlaW5nYnRjcGljNnZsMjMyLmNvZGUxLmVtaS5w
aGlsaXBzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPV3Z4ZM
j4rtt9uM1qLezT4csow1MRFKFp5k+kBUv5+VXw9CmCjuMg0LC9hc5OdqeF984I7Z
6vzLSpCTDzsAsBz3dzoj4txJlC4PFPD/1G8pGstUFi5qiN4rbk8NAX1xZLNqd9fI
6mFL8eGqDEx34z09vm+NEr3+kDZEezsIwG7B2uZOqmqUEXx0SR/2ZWgHK5tvuvzF
RDq+PLZ3HecBIWg4pJ2Oo7TU8qGPS06lYylmbEOGtw3IwiJPYECECZZmpCFOLjIr
DUgcW4OZVDx1SymTcAT5pc51d4RXfL4UTwF3V21rwErEoNG/MCu3FFW/1BEC7Q9y
sWv/s+AG7fuDi80CAwEAAaOCAZ4wggGaMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMC
BkAwNQYJYIZIAYb4QgENBCgWJkthdGVsbG8gU1NMIFRvb2wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBSzH/P+n7m0RARN419JV1JJ5+ZIbTCBxQYDVR0j
BIG9MIG6gBSepIcUiYaH3IOmtIxVgCGEmqLS8aGBlqSBkzCBkDELMAkGA1UEBhMC
VVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRAw
DgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21lT3JnVW5pdDEuMCwGA1UEAwwl
aW5nYnRjcGljNnZsMjMyLmNvZGUxLmVtaS5waGlsaXBzLmNvbYIJALJhJFm2Sdti
MDAGA1UdEQQpMCeCJWluZ2J0Y3BpYzZ2bDIzMi5jb2RlMS5lbWkucGhpbGlwcy5j
b20wDQYJKoZIhvcNAQELBQADggEBACqVvUtAIIY4oY3WK1StxBKix/nV9+NYM2f6
8ZmK6TiQx7ceds/UvEamOROrYKEdOq2Z/wN7QDXAqdnhXNlCnEnawEPZFHRTcPir
SDestzacTaWuGLpghZRSv/GVjH10GEoOMGtbfn6JlgmBt+PQWRteSFCoYEk5B3mU
ej5iNNYZecNHyPRHhCk9oWcm4lho+mdCxjcaQ8suJeZhfHWgOKnzibRGeqd3CNns
fdP603MmxAoiS85y7sYEqi8GoIWZ3zIFohppfQtrTEID5NIxR39cc7MJx8IPHHnd
0ZAtwW+WQ0lJrbE05wnmcqt6++mNMQ4cZ3t0xdKdtQvSZscAWOQ=
-----END CERTIFICATE-----
subject=C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = ingbtcpic6vl232.code1.emi.com
issuer=C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = ingbtcpic6vl232.code1.emi.com
---
Acceptable client certificate CA names
C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = ingbtcpic6vl232.code1.emi.philips.com
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256:RSA+SHA224:ECDSA+SHA224:RSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3556 bytes and written 473 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 569864E5FF76B5149B4658976FB4B6342C4506536ECFD1B7F7150A68BAA4ABE0
Session-ID-ctx:
Master-Key: 5DDB236A7D21CA83242A5DB244455EEC527D68A30631ED0EA57FCCCBD18E3F0AB5A52B35EC43A4C20BAD1D4277228957
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 7f a7 b1 da 61 c8 8e 3d-84 cf b4 1b 8c de d2 f5 ....a..=........
0010 - 9c 58 05 e6 98 59 94 b6-13 39 6d 5c 19 91 e2 c9 .X...Y...9m\....
0020 - 45 d7 e3 93 e0 ca 15 b6-aa f9 6f 77 a5 43 67 07 E.........ow.Cg.
0030 - b2 4f 7e 2b 54 2e ec c0-5c 7c 47 79 7f e7 b8 90 .O~+T...\|Gy....
0040 - 2d a0 9e c4 c2 6e 92 4c-bc 9c a2 42 f4 58 bb de -....n.L...B.X..
0050 - 99 28 16 63 82 85 9a 05-ed 8a 29 b1 ce f7 39 bc .(.c......)...9.
0060 - 27 fb 55 7d 18 de d0 e0-a5 41 12 4d f5 62 23 fa '.U}.....A.M.b#.
0070 - 09 d6 a4 81 f0 ab c1 92-6d 6d 6e 06 c6 18 7e 29 ........mmn...~)
0080 - 37 31 ab e6 ea 2e 05 2c-88 6c c6 fa 8e 42 db ee 71.....,.l...B..
0090 - 61 1b c6 18 05 df 95 fc-8d a4 ba 58 cd de b4 7c a..........X...|
00a0 - 17 ca 65 07 ca f5 b2 5c-31 f8 aa 6b 41 eb 8b d8 ..e....\1..kA...
00b0 - 6e d4 f8 68 71 02 98 90-d9 fa 53 9a 53 d7 8f f8 n..hq.....S.S...
00c0 - 8b 8b 9d de 18 c0 fd f5-3f f5 61 a2 86 83 7c e3 ........?.a...|.
00d0 - e7 10 46 a2 32 52 8f 76-d9 0d 5c 9b 6b cf d8 53 ..F.2R.v..\.k..S
Start Time: 1632815986
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
HTTP/1.1 400 Bad Request
Date: Tue, 28 Sep 2021 08:32:25 GMT
Server: Apache
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
closed
If you use the selfsigned CA - why do you use a certificate chain?
However, I am not sure how to continue with this certificate problem - but this is not openscap related but your katello-setup. Maybe you should open a new thread for that and someone has more ideas how to help you there. And if this is fixed try openscap and the subscription-manager again.
@almond can you provide the output of this command on your client (target system)?
update-crypto-policies --show
[root@localhost ~]# update-crypto-policies --show
DEFAULT
[root@localhost ~]#
@Jonathon_Turel @jtruestedt Also I tried to unregister and re-register using activation key
[root@localhost .ssh]# subscription-manager register --org='Test Organization' --activationkey="rhel 8.3 activation key"
Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
What exactly was your process for registering this client?
You can start fresh like this:
subscription-manager clean
yum erase katello-ca-consumer-*
yum install http://foreman.example.com/pub/katello-ca-consumer-latest.noarch.rpm
subscription-manager register with username/password or activation key
Getting an error
[root@localhost yum.repos.d]# subscription-manager clean
All local data removed
[root@localhost yum.repos.d]# rpm -qa | grep katello
katello-host-tools-3.5.4-3.el8.noarch
katello-agent-3.5.4-3.el8.noarch
[root@localhost yum.repos.d]# yum install https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Last metadata expiration check: 0:00:41 ago on Tue 28 Sep 2021 11:51:39 PM IST.
[MIRROR] katello-ca-consumer-latest.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
[MIRROR] katello-ca-consumer-latest.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
[MIRROR] katello-ca-consumer-latest.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
[MIRROR] katello-ca-consumer-latest.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
[FAILED] katello-ca-consumer-latest.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ingbtcpic6vl232.code1.emi.com/pub/katello-ca-consumer-latest.noarch.rpm [SSL certificate problem: self signed certificate in certificate chain]
Install it via http, not https
@Jonathon_Turel
That worked
Running transaction
Preparing : 1/1
Installing : katello-ca-consumer-ingbtcpic6vl232.code1.emi.com-1.0-2.noarch 1/1
Running scriptlet: katello-ca-consumer-ingbtcpic6vl232.code1.emi.com-1.0-2.noarch 1/1
Verifying : katello-ca-consumer-ingbtcpic6vl232.code1.emi.com-1.0-2.noarch 1/1
Installed products updated.
Pipe does not exist (/var/run/fapolicyd/fapolicyd.fifo)
Perhaps fapolicy-plugin does not have enough permissions
or fapolicyd is not running...
Installed:
katello-ca-consumer-ingbtcpic6vl232.code1.emi.com-1.0-2.noarch
[root@localhost yum.repos.d]# subscription-manager register --org='Test Organization' --activationkey="rhel 8.3 activation key"
HTTP error (404 - Not Found): Couldn't find Organization 'Test Organization'.
@Jonathon_Turel This is my current rhsm.conf file in my client machine
# Red Hat Subscription Manager Configuration File:
# Unified Entitlement Platform Configuration
[server]
# Server hostname:
#hostname = subscription.rhsm.redhat.com
hostname = ingbtcpic6vl232.code1.emi.com
# Server prefix:
#prefix = /subscription
prefix = /rhsm
# Server port:
port = 443
# Set to 1 to disable certificate validation:
insecure = 0
# Set the depth of certs which should be checked
# when validating a certificate
ssl_verify_depth = 3
# an http proxy server to use
proxy_hostname =
# The scheme to use for the proxy when updating repo definitions, if needed
# e.g. http or https
proxy_scheme = http
# port for http proxy server
proxy_port =
# user name for authenticating to an http proxy, if needed
proxy_user =
# password for basic http proxy auth, if needed
proxy_password =
# host/domain suffix blacklist for proxy, if needed
no_proxy =
[rhsm]
# Content base URL:
#baseurl = https://cdn.redhat.com
baseurl = https://ingbtcpic6vl232.code1.emi.com/pulp/repos
# Repository metadata GPG key URL:
repomd_gpg_url =
# Server CA certificate location:
ca_cert_dir = /etc/rhsm/ca/
# Default CA cert to use when generating yum repo configs:
#repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem
repo_ca_cert = %(ca_cert_dir)skatello-server-ca.pem
# Where the certificates should be stored
productCertDir = /etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer
# Manage generation of yum repositories for subscribed content:
manage_repos = 1
# Refresh repo files with server overrides on every yum command
full_refresh_on_yum = 1
# If set to zero, the client will not report the package profile to
# the subscription management service.
report_package_profile = 1
# The directory to search for subscription manager plugins
pluginDir = /usr/share/rhsm-plugins
# The directory to search for plugin configuration files
pluginConfDir = /etc/rhsm/pluginconf.d
# Manage automatic enabling of yum/dnf plugins (product-id, subscription-manager)
auto_enable_yum_plugins = 1
# Run the package profile on each yum/dnf transaction
package_profile_on_trans = 1
# Inotify is used for monitoring changes in directories with certificates.
# Currently only the /etc/pki/consumer directory is monitored by the
# rhsm.service. When this directory is mounted using a network file system
# without inotify notification support (e.g. NFS), then disabling inotify
# is strongly recommended. When inotify is disabled, periodical directory
# polling is used instead.
inotify = 1
[rhsmcertd]
# Interval to run cert check (in minutes):
certCheckInterval = 240
# Interval to run auto-attach (in minutes):
autoAttachInterval = 1440
# If set to zero, the checks done by the rhsmcertd daemon will not be splayed (randomly offset)
splay = 1
# If set to 1, rhsmcertd will not execute.
disable = 0
[logging]
default_log_level = INFO
# subscription_manager = DEBUG
# subscription_manager.managercli = DEBUG
# rhsm = DEBUG
# rhsm.connection = DEBUG
# rhsm-app = DEBUG
subcription-manager register takes the organization label not the organization name, so you should use --org="Test_Organization"