🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: SUSE Linux Enterprise Server 16

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

`zypper refresh` aborts with SSL handshake or certificate validation errors against SCC or local mirrors.

Environment & Reproduction

Occurs after CA bundle updates or when system clock drifts on registered SLES 16 hosts.

Root Cause Analysis

Expired or missing intermediate CA certificates break TLS to SUSE Customer Center.

Quick Triage

Check time sync first: `timedatectl status` and verify `/etc/ssl/ca-bundle.pem` is current.

Step-by-Step Diagnosis

Run `zypper –no-gpg-checks refresh -fdb` and inspect `/var/log/zypper.log` for the failing host.

Illustrative mockup for sles-16 — zypper_ssl-refresh-fail_terminal
Terminal diagnostics for zypper repository refresh fails with SSL certificate error — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Reinstall `ca-certificates-mozilla` and run `update-ca-certificates`, then retry `zypper refresh`.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Illustrative mockup for sles-16 — zypper_ssl-refresh-fail_logs
Logs and evidence for zypper repository refresh fails with SSL certificate error — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Temporarily point to a local SMT/RMT mirror that uses an internal CA you trust.

Verification & Acceptance Criteria

`zypper refresh` returns clean and `SUSEConnect –status` shows all products active.

Rollback Plan

Restore the previous `/etc/ssl` snapshot via `snapper undochange` if certificate state regresses.

Prevention & Hardening

Enable chronyd and monitor CA bundle versions via configuration management.

Often coincides with `SUSEConnect` 4xx/5xx errors and broken `zypper services` output.

Related tutorial: View the step-by-step tutorial for sles-16.

View all sles-16 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

SUSE Customer Center connectivity troubleshooting and `ca-certificates` package notes.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.