🟑 Medium   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: RHEL 10

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Browser blocks Cockpit access due to CN/SAN mismatch or untrusted certificate chain.

Environment & Reproduction

Appears after hostname changes, certificate rotation, or migration to new domain naming.

systemctl status cockpit.socket
openssl s_client -connect localhost:9090 -showcerts </dev/null
hostnamectl

Root Cause Analysis

Cockpit serves certificate not matching the URL hostname or lacking trusted issuing CA.

Quick Triage

Confirm socket listener and service health.

ss -lntp | grep 9090
firewall-cmd --list-ports
journalctl -u cockpit -n 40 --no-pager

Step-by-Step Diagnosis

Inspect deployed cert files and issuer trust.

ls -l /etc/cockpit/ws-certs.d
openssl x509 -in /etc/cockpit/ws-certs.d/*.cert -noout -subject -issuer -ext subjectAltName
update-ca-trust check
Illustrative mockup for rhel-10 β€” terminal_or_shell
Checking cockpit service and certificate chain β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Install correct cert/key pair for current hostname and restart socket.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo cp /tmp/cockpit.cert /etc/cockpit/ws-certs.d/50-custom.cert
sudo cp /tmp/cockpit.key /etc/cockpit/ws-certs.d/50-custom.key
sudo chmod 600 /etc/cockpit/ws-certs.d/50-custom.key
sudo systemctl restart cockpit.socket
Illustrative mockup for rhel-10 β€” log_or_config
Replacing Cockpit certificate and reloading service β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use enterprise PKI automation for periodic certificate enrollment and renewal.

sudo dnf install -y certmonger
sudo systemctl enable --now certmonger

Verification & Acceptance Criteria

Certificate matches FQDN and Cockpit loads without TLS warnings in managed clients.

openssl s_client -connect host.example.com:9090 -servername host.example.com </dev/null | openssl x509 -noout -subject -ext subjectAltName
systemctl status cockpit.socket

Rollback Plan

Restore previous cert files if replacement certificate is invalid.

sudo mv /etc/cockpit/ws-certs.d/50-custom.cert /etc/cockpit/ws-certs.d/50-custom.cert.bad
sudo systemctl restart cockpit.socket

Prevention & Hardening

Track certificate expiry and enforce DNS naming consistency before host renames.

openssl x509 -in /etc/cockpit/ws-certs.d/*.cert -noout -dates
firewall-cmd --permanent --add-service=cockpit

Related to firewall port 9090 blocks, reverse proxy TLS offload mistakes, and stale browser HSTS state.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RHEL Cockpit installation and TLS certificate configuration documentation.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.