Environment
- NetIQ Access Manager 4.2
- NetIQ Access Manager 4.2 Access Gateway Service
- NetIQ Access Gateway Service version 4.2.1 has been installed on a fresh SLES 12.1 installation.
Situation
- SLES 12 can not be registered any more to the configured SMT server after the Access Gateway Service has been installed.
- SUSEConnect returns:
SSL verification failed: self signed certificate in certificate chain
Certificate issuer: /C=DE/CN=YaST Default CA (sles11sp3)/emailAddress=postmaster@microfocus.com
Certificate subject: /C=DE/CN=YaST Default CA (sles11sp3)/emailAddress=postmaster@microfocus.com
SUSEConnect error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed - runing openssl returns:
"WARNING: can't open config file: /root/FIPS_1.0.1s/Linux_x86_64/ssl/openssl.cnf - Executing 'zypper –no-refresh patch-check' returns:
/usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require': /usr/lib64/ruby/2.1.0/x86_64-linux-gnu/openssl.so: undefined symbol: SSLv2_method - /usr/lib64/ruby/2.1.0/x86_64-linux-gnu/openssl.so (LoadError)
from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib64/ruby/2.1.0/openssl.rb:17:in `<top (required)>'
from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.2.34/lib/suse/connect/connection.rb:1:in `<top (required)>'
from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.2.34/lib/suse/connect.rb:9:in `<module:Connect>'
from /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.2.34/lib/suse/connect.rb:3:in `<module:SUSE>'
from /usr/lib64/ruby/gems/2.1.0/gems/suse-connect-0.2.34/lib/suse/connect.rb:1:in `<top (required)>'
from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:135:in `require'
from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:135:in `rescue in require'
from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:144:in `require'
from /usr/lib/zypper/commands/zypper-migration:5:in `<main>'
'/usr/lib/zypper/commands/zypper-migration' exited with status 1
Resolution
- Add the "OPENSSL_CONF=/etc/ssl" ENV variable to the end of your "/etc/profile.local" file
-------------------------------------------------------
.....
.....
export OPENSSL_CONF=/etc/ssl
#
# End of /etc/profile
------------------------------------------------------- - Close you terminal session and start a new one
- Check if the variable is set: env | grep OPENSSL-CONF
- In case SUSEConnect still throws the SSL verification error message, please issue the following 3 commands:
- mkdir –p /root/1.0.1s/Linux_x86_64
- cd /root/1.0.1s/Linux_x86_64
- ln –s /etc/ssl
- Please note that 1.0.1t is the version of openSSL that has been installed by NAM. This version might differ, hence the path should be changed accordingly.
- This issue has been addressed to engineering
Cause
- The OpenSSL Version shipped with NAM has by accident a hard coded opensslconfiguration file path reference: " /root/FIPS_1.0.1s/Linux_x86_64/ssl/openssl.cnf" which can be overwritten using the "OPENSSL-CONF" variable.