certificate verify failed

Hi, when registering my SLES 12 SP4, I have the following error:

Registering system to SUSE Customer Center
Using E-Mail: xxx@xxx
Announcing system to https://scc.suse.com ...
SSL verification failed: unable to get local issuer certificate
Certificate issuer: /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
Certificate subject: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2


Has anyone had the same experience?

Comments

  • malcolmlewismalcolmlewis Knowledge Partner

    @dsoria Hi and welcome to the Forum :)
    This TID describes your issue and resolution: https://www.suse.com/support/kb/doc/?id=000018836

  • thanks ! and thanks for the reply malcomlewis
    I had already configured it in the proxy but the error continues

  • malcolmlewismalcolmlewis Knowledge Partner

    @dsoria Hi,
    Can you try a cleanup and try again with debug added;

    SUSEConnect --cleanup
    SUSEConnect --debug -e <email> -r <reg_code>
    
  • these are the last lines:

    Handle 0x01A5, DMI type 23, 13 bytes
    System Reset
    Status: Enabled
    Watchdog Timer: Present
    Boot Option: Do Not Reboot
    Boot Option On Limit: Do Not Reboot
    Reset Count: Unknown
    Reset Limit: Unknown
    Timer Interval: Unknown
    Timeout: Unknown

    Handle 0x01A8, DMI type 32, 20 bytes
    System Boot Information
    Status: No errors detected'
    Executing: 'zypper targetos' Quiet: false
    Executing raw: 'zypper targetos'
    Output: 'sle-12-x86_64'
    Error: 'zypper: /usr/local/lib64/libssl.so.1.0.0: no version information available (required by /usr/lib64/libcurl.so.4)
    zypper: /usr/local/lib64/libcrypto.so.1.0.0: no version information available (required by /usr/lib64/libcurl.so.4)'
    opening connection to scc.suse.com:443...
    opened
    starting SSL for scc.suse.com:443...
    SSL established
    SSL verification failed: unable to get local issuer certificate
    Certificate issuer: /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
    Certificate subject: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
    Conn close because of connect error SSL_connect returned=1 errno=0 state=error: certificate verify failed
    SUSEConnect error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
    /usr/lib64/ruby/2.1.0/net/http.rb:923:in connect' /usr/lib64/ruby/2.1.0/net/http.rb:923:inblock in connect'
    /usr/lib64/ruby/2.1.0/timeout.rb:75:in timeout' /usr/lib64/ruby/2.1.0/net/http.rb:923:inconnect'
    /usr/lib64/ruby/2.1.0/net/http.rb:863:in do_start' /usr/lib64/ruby/2.1.0/net/http.rb:852:instart'
    /usr/lib64/ruby/2.1.0/net/http.rb:1390:in request' /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/connection.rb:72:injson_request'
    /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/connection.rb:46:in block (2 levels) in <class:Connection>' /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/api.rb:65:inannounce_system'
    /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/client.rb:102:in announce_system' /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/client.rb:243:inannounce_or_update'
    /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/client.rb:27:in register!' /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/cli.rb:49:inexecute!'
    /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/bin/SUSEConnect:11:in <top (required)>' /usr/sbin/SUSEConnect:23:inload'
    /usr/sbin/SUSEConnect:23:in `

    '
  • malcolmlewismalcolmlewis Knowledge Partner
    edited March 23

    @dsoria Hi, so is this a physical machine or a virtual machine?

    This looks similar: https://gist.github.com/brandur/344cfbf305e12140789b15debbb0dcc3

  • It's a virtual machine
    this is the result of executing the openssl command:

    Server:~ # openssl s_client -showcerts -connect scc.suse.com:443
    CONNECTED(00000003)
    depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2

    verify error:num=20:unable to get local issuer certificate

    Certificate chain
    0 s:/CN=*.suse.com
    i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
    -----BEGIN CERTIFICATE-----
    MIIFZjCCBE6gAwIBAgIQAm0aXpTo1eL47yP9ndDQAzANBgkqhkiG9w0BAQsFADBG
    yOLyqFK2GokrLlOJqq++k0NMaf0IHjtelyKfTWVj+if78hyGdXVWYI4o
    -----END CERTIFICATE-----
    1 s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
    i:/C=US/O=Amazon/CN=Amazon Root CA 1
    -----BEGIN CERTIFICATE-----
    MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF
    yLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/
    -----END CERTIFICATE-----
    2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
    i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
    -----BEGIN CERTIFICATE-----
    MIIEkjCCA3qgAwIBAgITBn+USionzfP6wq4rAfkI7rnExjANBgkqhkiG9w0BAQsF
    bRRYh5TmOTFffHPLkIhqhBGWJ6bt2YFGpn6jcgAKUj6DiAdjd4lpFw85hdKrCEVN
    0FE6/V1dN2RMfjCyVSRCnTawXZwXgWHxyvkQAiSr6w10kY17RSlQOYiypok1JR4U
    akcjMS9cmvqtmg5iUaQqqcT5NJ0hGA==
    -----END CERTIFICATE-----
    3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
    i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
    -----BEGIN CERTIFICATE-----
    MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
    8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ
    59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehu
    VsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cwA130A4w=

    -----END CERTIFICATE-----

    Server certificate
    subject=/CN=*.suse.com

    issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon

    No client certificate CA names sent
    Peer signing digest: SHA512

    Server Temp Key: ECDH, P-256, 256 bits

    SSL handshake has read 5485 bytes and written 433 bytes

    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 7C508EDC421ADAD1C12A3B048C6F6E8DAFAEA6A98479BF8B08F62008A11DAF5C
    Session-ID-ctx:
    Master-Key: 76C954DE03B2257F4CC4A5240D88A89F7494C957D209F72EFF490B845045FEADF7FF5C7066127C964064155DBE29D9A4
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 43200 (seconds)
    TLS session ticket:
    0000 - 6b 86 a6 67 7f 43 c0 aa-f3 69 bb 1d 27 67 da ce k..g.C...i..'g..
    00a0 - f7 3f fc d9 27 b7 96 c2-ca 56 49 4e 26 d1 30 b9 .?..'....VIN&.0.

    Start Time: 1616532436
    Timeout   : 300 (sec)
    

    Verify return code: 20 (unable to get local issuer certificate)

    closed

  • malcolmlewismalcolmlewis Knowledge Partner

    @dsoria Hi on AWS? Hmmm, might pay to repost the question over in https://forums.suse.com/categories/amazon-ec2 else are you in a position to open a Support Request?

  • no, my server is "on-premise", it is a virtual machine in the vmware environment

  • malcolmlewismalcolmlewis Knowledge Partner

    @dsoria Ahh ok, so are you going through a proxy, that's all configured to allow the SUSE domains? What about a Support Request?

  • Thanks for your time chief, I don't have proxy enabled, the server has a direct connection to the internet
    How is the procedure for the Support Request?

  • malcolmlewismalcolmlewis Knowledge Partner

    @dsoria Hi, if you log into your account on SCC (https://scc.suse.com), you can raise a request there.

Sign In or Register to comment.