If any 'kcarectl' command on the server shows SSL error like this:
<urlopen error Request for `https://patches.kernelcare.com/76c4bc451ef7e942ac43d680ac587ed9c9d85e25/latest.v2? failed: ... <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>>
then the issue may be of the following nature:
1) server' time is wrong and not syncing. To resolve this it's enough to set/sync the time by using ntpdate.
2) broken rpm packages for SSL certificate (in most cases, the broken package is 'ca-certificates'). You need to check the packages by using 'rpm -V', for example:
rpm -V ca-certificates
or check recursively all RPMs:
rpm -Va --nofiles
and reinstall it if rpm looks corrupted:
yum reinstall ca-certificates
3) self-signed SSL certificate is used.
KernelCare cannot verify a certificate because it is a self-signed one.
You can get another valid SSL certificate, here two ways are possible:
- get a free certificate (Let's Encrypt, for example);
- get another certificate, i.e. generate your own root certificate, put it on your client machine (with KernelCare), then generate a new certificate for ePortal which is signed by your root certificate. This variant is possible only if ePortal is used.
- if you don't use ePortal and your KernelCare server is >= Centos/RHEL 7.2 then you can use one of these solutions:
a) disable ssl verification: In this case, you need to replace 'verify=platform_default' to 'verify=disable' in the file /etc/python/cert-verification.cfg.
b) don't change SSL settings, but use the option 'PYTHONHTTPSVERIFY=0' together with any kcarectl command. For example:
# PYTHONHTTPSVERIFY=0 /usr/bin/kcarectl --update
31 */4 * * * root PYTHONHTTPSVERIFY=0 /usr/bin/kcarectl -q --auto-update