certificate verify failed

General Discussion
1

Hi, when registering my SLES 12 SP4, I have the following error:

Registering system to SUSE Customer Center
Using E-Mail: xxx@xxx
Announcing system to https://scc.suse.com
SSL verification failed: unable to get local issuer certificate
Certificate issuer: /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
Certificate subject: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2

Has anyone had the same experience?

2

@dsoria Hi and welcome to the Forum :slight_smile:
This TID describes your issue and resolution: https://www.suse.com/support/kb/doc/?id=000018836

3

thanks ! and thanks for the reply malcomlewis
I had already configured it in the proxy but the error continues

4

@dsoria Hi,
Can you try a cleanup and try again with debug added;

SUSEConnect --cleanup
SUSEConnect --debug -e <email> -r <reg_code>
5

these are the last lines:

Handle 0x01A5, DMI type 23, 13 bytes
System Reset
Status: Enabled
Watchdog Timer: Present
Boot Option: Do Not Reboot
Boot Option On Limit: Do Not Reboot
Reset Count: Unknown
Reset Limit: Unknown
Timer Interval: Unknown
Timeout: Unknown

Handle 0x01A8, DMI type 32, 20 bytes
System Boot Information
Status: No errors detected’
Executing: ‘zypper targetos’ Quiet: false
Executing raw: ‘zypper targetos’
Output: ‘sle-12-x86_64’
Error: ‘zypper: /usr/local/lib64/libssl.so.1.0.0: no version information available (required by /usr/lib64/libcurl.so.4)
zypper: /usr/local/lib64/libcrypto.so.1.0.0: no version information available (required by /usr/lib64/libcurl.so.4)’
opening connection to scc.suse.com:443
opened
starting SSL for scc.suse.com:443
SSL established
SSL verification failed: unable to get local issuer certificate
Certificate issuer: /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
Certificate subject: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
Conn close because of connect error SSL_connect returned=1 errno=0 state=error: certificate verify failed
SUSEConnect error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
/usr/lib64/ruby/2.1.0/net/http.rb:923:in connect' /usr/lib64/ruby/2.1.0/net/http.rb:923:in block in connect’
/usr/lib64/ruby/2.1.0/timeout.rb:75:in timeout' /usr/lib64/ruby/2.1.0/net/http.rb:923:in connect’
/usr/lib64/ruby/2.1.0/net/http.rb:863:in do_start' /usr/lib64/ruby/2.1.0/net/http.rb:852:in start’
/usr/lib64/ruby/2.1.0/net/http.rb:1390:in request' /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/connection.rb:72:in json_request’
/usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/connection.rb:46:in block (2 levels) in <class:Connection>' /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/api.rb:65:in announce_system’
/usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/client.rb:102:in announce_system' /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/client.rb:243:in announce_or_update’
/usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/client.rb:27:in register!' /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/lib/suse/connect/cli.rb:49:in execute!’
/usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.3.22/bin/SUSEConnect:11:in <top (required)>' /usr/sbin/SUSEConnect:23:in load’
/usr/sbin/SUSEConnect:23:in `’

6

@dsoria Hi, so is this a physical machine or a virtual machine?

This looks similar: https://gist.github.com/brandur/344cfbf305e12140789b15debbb0dcc3

7

It’s a virtual machine
this is the result of executing the openssl command:

Server:~ # openssl s_client -showcerts -connect scc.suse.com:443
CONNECTED(00000003)
depth=3 C = US, ST = Arizona, L = Scottsdale, O = “Starfield Technologies, Inc.”, CN = Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate

Certificate chain
0 s:/CN=*.suse.com
i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
-----BEGIN CERTIFICATE-----
MIIFZjCCBE6gAwIBAgIQAm0aXpTo1eL47yP9ndDQAzANBgkqhkiG9w0BAQsFADBG
yOLyqFK2GokrLlOJqq++k0NMaf0IHjtelyKfTWVj+if78hyGdXVWYI4o
-----END CERTIFICATE-----
1 s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
i:/C=US/O=Amazon/CN=Amazon Root CA 1
-----BEGIN CERTIFICATE-----
MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF
yLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/
-----END CERTIFICATE-----
2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgITBn+USionzfP6wq4rAfkI7rnExjANBgkqhkiG9w0BAQsF
bRRYh5TmOTFffHPLkIhqhBGWJ6bt2YFGpn6jcgAKUj6DiAdjd4lpFw85hdKrCEVN
0FE6/V1dN2RMfjCyVSRCnTawXZwXgWHxyvkQAiSr6w10kY17RSlQOYiypok1JR4U
akcjMS9cmvqtmg5iUaQqqcT5NJ0hGA==
-----END CERTIFICATE-----
3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ
59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehu
VsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cwA130A4w=
-----END CERTIFICATE-----

Server certificate
subject=/CN=*.suse.com
issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 5485 bytes and written 433 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 7C508EDC421ADAD1C12A3B048C6F6E8DAFAEA6A98479BF8B08F62008A11DAF5C
Session-ID-ctx:
Master-Key: 76C954DE03B2257F4CC4A5240D88A89F7494C957D209F72EFF490B845045FEADF7FF5C7066127C964064155DBE29D9A4
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 43200 (seconds)
TLS session ticket:
0000 - 6b 86 a6 67 7f 43 c0 aa-f3 69 bb 1d 27 67 da ce k…g.C…i…‘g…
00a0 - f7 3f fc d9 27 b7 96 c2-ca 56 49 4e 26 d1 30 b9 .?..’…VIN&.0.

Start Time: 1616532436
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

closed

8

@dsoria Hi on AWS? Hmmm, might pay to repost the question over in https://forums.suse.com/categories/amazon-ec2 else are you in a position to open a Support Request?

9

no, my server is “on-premise”, it is a virtual machine in the vmware environment

10

@dsoria Ahh ok, so are you going through a proxy, that’s all configured to allow the SUSE domains? What about a Support Request?

11

Thanks for your time chief, I don’t have proxy enabled, the server has a direct connection to the internet
How is the procedure for the Support Request?

12

@dsoria Hi, if you log into your account on SCC (https://scc.suse.com), you can raise a request there.