🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: SUSE Linux Enterprise Server 15

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

`zypper refresh` aborts with TLS handshake failures, blocking patch installs across SLES 15 hosts.

Environment & Reproduction

Triggered after CA bundle rotation or NTP drift on registered SLES 15 SP servers.

Root Cause Analysis

Stale or missing intermediate CA certificates break TLS to SUSE Customer Center and RMT mirrors.

Quick Triage

Check `timedatectl` for clock skew and verify `/etc/ssl/ca-bundle.pem` is current.

Step-by-Step Diagnosis

Run `zypper –no-gpg-checks refresh -fdb` and inspect `/var/log/zypper.log` for failing hostnames.

Illustrative mockup for sles-15 — zypper_repo-refresh-ssl_terminal
Terminal diagnostics for zypper refresh fails with SSL handshake errors against SCC or RMT — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Reinstall `ca-certificates-mozilla`, run `update-ca-certificates`, then retry `zypper refresh`.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Illustrative mockup for sles-15 — zypper_repo-refresh-ssl_logs
Logs and evidence for zypper refresh fails with SSL handshake errors against SCC or RMT — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Temporarily redirect to a local RMT/SMT mirror with an internal CA that is already trusted.

Verification & Acceptance Criteria

`zypper refresh` succeeds and `SUSEConnect –status` shows all products active.

Rollback Plan

Restore prior `/etc/ssl` state with `snapper undochange` if certificate trust regresses.

Prevention & Hardening

Enable chronyd and track CA bundle versions through SUSE Manager or Salt.

Pairs with `SUSEConnect` HTTP 5xx and broken `zypper services` listings.

Related tutorial: View the step-by-step tutorial for sles-15.

View all sles-15 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

SUSE doc TID about SCC TLS troubleshooting and ca-certificates package notes.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.