-
Notifications
You must be signed in to change notification settings - Fork 20
OpenSSL Certificates
When using the SCC default server address (https://scc.suse.com) for registration the SSL certificate is already present in the installation system, the SCC certificate is signed by a well known certificate authority.
But when using a custom SMT or RMT local registration server it is quite common to use a self-signed certificate or a certificate signed by an unknown certificate authority (usually your own).
In that case YaST displays a popup that the SSL communication failed.
YaST supports importing a self-signed certificate automatically.
sle15-sp1-certificate-failure-new-gui-self-signed
⚠️ When importing a self-signed certificate you should verify that the certificate subject and the issuer is correct and that the certificate fingerprint matches the expected value. Importing unknown or not verified certificates is a big security risk!
You should obtain the fingerprint value via a secure channel, the connection to the registration server will be as secure as the way how you verified the certificate. Importing an insecure certificate does not make the connection secure.
Such certificates need to be imported manually, YaST cannot import custom certificates automatically. In that case you need to manually import the certificate into the system.
- At the registration step switch to another console or press
Ctrl+Alt+Shift+X
combination in the graphical installation to start anxterm
session (does not work in the text mode installation). - Save the certificate to the
/etc/pki/trust/anchors/registration-server.pem
file, you need to copy the certificate from disk, download it usingcurl
, copy from an USB flash disk... - Then run the
/usr/lib/YaST2/bin/install_ssl_certificates
script - You might verify that the connection to the server now works correctly using the
curl
command - Switch back to the installer and continue with the registration step
- Save the certificate to the
/etc/pki/trust/anchors/registration-server.pem
file, you need to copy the certificate from disk, download it usingcurl
, copy from an USB flash disk... - Then run the
update-ca-certificates
script - You might verify that the connection to the server now works correctly using the
curl
command - Run the registration module
The imported certificate is saved to /etc/pki/trust/anchors/registration-server.pem
file into the installed system.