Troubleshooting SLES pay-as-you-go registration

Linux

This document describes how to resolve issues you might encounter when youconnect Compute Engine virtual machine (VM) instances running pay-as-you-go(PAYG) SUSE Linux Enterprise Server (SLES) to the SUSE Subscription ManagementTool (SMT) repository.

Before you begin

Network issues

Unresolvable domain name

You might encounter the following issues if the VM can't connect to thesmt-gce.susecloud.net SMT server:

SUSEConnect error: SocketError: getaddrinfo: Name or service not known
ping: unknown host smt-gce.susecloud.net

The cause of these issues is generally because of an incorrect resolution of theSMT server domain namesmt-gce.susecloud.net. This domain isn't globallyresolvable, so you must set its IP address according to the VM region by doingthe following:

Check the/etc/hosts file to make sure it contains an entry with thesmt-gce.susecloud.net domain.

cat/etc/hosts|grep-ismt

The output looks similar to the following, but the IP address might bedifferent:

# Added by SMT registration do not remove, retain comment as well108.59.80.221   smt-gce.susecloud.net   smt-gce

If the/etc/hosts file doesn't contain the same lines as the preceding example,do the following:

  1. Find an IP address that corresponds with your VM's region from thelist of SUSE SMT IP addresses.

  2. Edit the file to add the SUSE SMT IP address and any other informationthat is missing.

While you can modify the `/etc/hosts` file for troubleshooting purposes,it's important to know that the `registercloudguest` tool might overwrite yourchanges.

Network unavailability

You may encounter the following errors due to network unavailability, even ifthe VM is able to resolve Compute Engine Update Server domain name:

Unexpected exception.Not ready to read within timeout.
Repository 'SLE-Module-Adv-Systems-Management12-Pool' is invalid.Repository 'SLE-Module-Adv-Systems-Management12-Updates' is invalid.

The following are some examples of errors you might find in the/var/log/cloudregister log file during the investigation:

WARNING:Unable to remove client registration from serverWARNING:HTTPSConnectionPool(host='smt-gce.susecloud.net', port=443): Max retries exceeded with url: /connect/systems (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 110] Connection timed out',))
INFO:Region server arguments: ?regionHint=europe-central2ERROR:No response from: [('34.118.112.80', None), ('34.116.251.218', None), ('34.116.224.144', None)]

To learn more about the cause of the issue, perform a network connectivity test.The following example shows how to test an HTTPS connection usingcURL:

curl-sSI-m5-o/dev/null\-w'Response co>de (0 is OK): %{http_code}\n'\'https://smt-gce.susecloud.net'

The command's output contains anHTTP response code or anerror message. The following are common responses and errors:

  • Successful response:

    Response code (>0 is OK): 200

  • Request timeout error:

    Response code (>0 is OK): 000curl: (28) Connection timed out after 5001 milliseconds

  • Unresolvable domain error:

    Response code (>0 is OK): 000curl: (6) Could not resolve host: smt-gce.susecloud.net
Any response code greater than `0` is a positive response because the VMestablished a connection with the server, even if the response contains a clientor server error response code.

In certain scenarios, such as strict host firewall rules, the default IP addressassociated with thesmt-gce.susecloud.net domain might not be available. To ensurethat the issue isn't only related to the current IP address, test networkconnectivity for alternate regional servers. Retrieve the list of regionalservers:

Go toSUSE WebUIto obtain the list of regional update servers.

Usepint tool to obtain the list of regional update servers by CLI.

  1. Install required package

    sudozypperinstallpython3-susepubliccloudinfo

  2. Use the following command with specific region

    pintgoogleservers--regionus-central1

  3. A successful output contains a list of entries in XML format

    <?xml version='1.0' encoding='UTF-8'?>    <servers>      <server ip="146.148.73.14" name="" region="us-central1" type="regionserver-sles"/>      <server ip="162.222.182.90" name="" region="us-central1" type="regionserver-sap"/>      <server ip="108.59.80.221" name="smt-gce.susecloud.net" region="us-central1" type="smt"/>      <server ip="108.59.85.41" name="smt-gce.susecloud.net" region="us-central1" type="smt"/>      <server ip="108.59.80.58" name="smt-gce.susecloud.net" region="us-central1" type="smt"/>    </servers>

To find the full list of SUSE server IPs for Google Cloud, view the followingdocuments:

A VM misconfiguration might cause network unavailability. If you have issues,performnetwork diagnostics to identify the root cause.

Registration failed

You might encounter the following error if you have VMs with a private IP addressin Cloud NAT:

ERROR:  Registration failed: Registering system to registration proxy https://smt-gce.susecloud.netcommand '/usr/bin/zypper --non-interactive refs Python_3_Module_x86_64' failedError: zypper returned 4 with 'Problem retrieving the repository index file for service 'Python_3_Module_x86_64':Timeout exceeded when accessing 'https://smt-gce.susecloud.net/services/2045/repo/repoindex.xml?credentials=Python_3_Module_x86_64'.

To resolve this issue, review your Cloud NAT configuration and verify thatyou've set theminimum ports per VM instance parameter to at least256.

For more information, check theRegistration and zypper failed for Compute Engine instances behind Cloud NATSUSE support bulletin.

No response

If your VM experiences problems communicating with update and region servers,you might see the following errors:

  • SUSEConnect error:

    SUSEConnect error: Errno::ETIMEDOUT: Connection timed out - connect(2) for "smt-gce.susecloud.net" port 443

  • zypper error:

    Error retrieving metadata for 'SLE-Module-Adv-Systems-Management12-Pool':Not ready to read within timeout....

These errors can occur when update and region servers don't respond. To verifyif this is the case, check the/var/log/cloudregister logs for similar content:

INFO:Region server arguments: ?regionHint=europe-central2INFO:Using API: regionInfoINFO:Region server arguments: ?regionHint=europe-central2INFO:Getting update server information, attempt 1INFO:   Using region server: 130.211.242.136ERROR:  No response from: 130.211.242.136INFO:   Using region server: 35.187.193.56ERROR:  No response from: 35.187.193.56INFO:   Using region server: 162.222.182.90ERROR:  No response from: 162.222.182.90INFO:   Using region server: 130.211.88.88ERROR:  No response from: 130.211.88.88ERROR:  None of the servers respondedERROR:  Attempted: [IPv4Address('130.211.242.136'), IPv4Address('35.187.193.56'), IPv4Address('162.222.182.90'), IPv4Address('130.211.88.88')].........ERROR:Request not answered by any server after 3 attemptsERROR:Exiting without registration

To resolve this issue, try one or more of the following:

  • Confirm that the VM has an external IP address or that the Virtual Private Cloudsubnet uses a NAT (either Cloud NAT or custom solution).

  • If you modified the default network routing rules, such as limiting publicInternet access or routing traffic through an on-premises network, addroutes manually for SMT IPs through the default Compute Engine gateway, bydoing the following:

    1. Go to theRoutes page in the Google Cloud console.

      Go to the Routes page

    2. Under theRoute Management tab look for a route that includes the SUSESMT IP addresses and verify that it has the Compute Engine default gatewayas the next hop.

    3. If the route is missing, add it by clickingCreate Routeand entering the necessary information.

  • If you're using an internal passthrough Network Load Balancer, for example with additionalintermediary network software (like firewalls or custom NATs), makesure that the load balancer is the next hop for VM traffic,by doing the following:

    1. Go to theVM instances page in the Google Cloud console.

      Go to the VM instances page

    2. Click the name of the VM you want to check. TheVM details page opens.

    3. In theNetwork interfaces section, clickView details.

    4. In theFirewall and routes details section locate the route thatdefines the path to the selected IP address range.

    5. Click the name of the route and confirm that internal passthrough Network Load Balancer or itsIP address is the next hop.

    If there is no route that defines the path to the selected IP address range,or if the route's next hop is different from internal passthrough Network Load Balancer, thenset up internal passthrough Network Load Balancer as the next hop.

  • If you're using an internal passthrough Network Load Balancer, confirm that it's located in thesame region as the VM.

    1. Go to theVM instances page in the Google Cloud console.

      Go to the VM instances page

    2. Locate the VM you want to check and note down its region.

    3. Go to theLoad balancing page in the Google Cloud console.

      Go to the Load balancing page

    4. Locate the internal passthrough Network Load Balancer used and check if it is in the sameregion as the VM.

    5. If the VM and the internal passthrough Network Load Balancer aren't in the same region, enableglobal access.

Registration behind proxies

You might encounter an issue if your VMs use non-transparent proxies or othersoftware that performs person-in-the-middle (PITM) inspection (for example,Barracuda CloudGen Firewall, Palo Alto). The following example demonstrates anattempt to register SLES by using an HTTP proxy.

ERROR: Baseproduct registration failedERROR: Registering system to registration proxy https://smt-gce.susecloud.netAnnouncing system to https://smt-gce.susecloud.net ...SUSEConnect error: Net::HTTPFatalError: 503 "Service Unavailable"

SUSE doesn't officially support SLES registration behind both person-in-the-middle (PITM) andnon-transparent proxies on Compute Engine. PITM proxy configurations fail duringregistration due to certificate pinning.

Google Cloud doesn't provide support for the registration process whenyou use third-party proxying software.

We recommend using aCloud NAT configuration or setting up acustom SMT server.

VPC Service Controls violation

If your organization uses VPC Service Controls (VPC-SC), registration might fail andyou might see aRequest is prohibited by organization's policy error message.This failure can be caused by ingress or egress violations if you haven'tconfigured exceptions for SUSE Update Infrastructure in your VPC-SC policy.

To resolve this issue, add the following components to an allowlist in yourVPC-SC policy to allow the VM to communicate with SUSE Update Infrastructure:

  • Update Infrastructure Project:Suse-gce-smt (Project Number: 778092048372)
  • Service Account:778092048372@project.gserviceaccount.com
  • Required Method:compute.alpha.InstancesService.GetLicenses

OS configuration issues

Unknown registration status

If you don't know if your pay-as-you-go (PAYG) SUSE Linux Enterprise Server(SLES) is registered, run the following command:

sudoSUSEConnect--status-text

The output contains the version and registration status of the SUSE products,including SUSE Linux Enterprise Server.

Installed Products:------------------------------------------  SUSE Linux Enterprise Server 12 SP5  (SLES/12.5/x86_64)  Registered------------------------------------------...

If the status isNot Registered, re-register the VM to fix the issue:

sudoregistercloudguest--force-new

Incorrect base product symlink

You might encounter the following errors if the base product link points to anincorrect product file:

2020-06-17 12:03:56,124 ERROR:Unable to obtain product information from server "108.59.85.41,None"        Unprocessable Entity        {"type":"error","error":"Unmet product dependencies, activate one of these products first: SUSE Linux Enterprise Server 12 x86_64, SUSE Linux Enterprise Server for SAP Applications 12 x86_64, SUSE Linux Enterprise Server 12 SP1 x86_64, ...","localized_error":"..."}Unable to register modules, exiting.

This error occurs when the/etc/products.d/baseproduct symbolic link points toan incorrect product file (for example,sle-module-toolchain.prod).

To resolve this issue, update the symlink at/etc/products.d/baseproduct topoint to the appropriate base product file:

  1. Navigate to the/etc/products.d directory

    cd/etc/products.d

  2. Run the following command replacingSLES.prod withSLES_SAP.prod if you've installed SLES for SAP:

    sudoln-sfSLES.prodbaseproduct
Note: If theSLES.prod orSLES_SAP.prod product file is missing, you cancreate a new VM instance with thesame boot disk image and copy the correct file from there to the/etc/products.d directory.

Instance identity information unavailability

You might encounter the following errors if the instance identity informationisn't available for the VM. This issue can occur if a service account isn'tattached to the instance, or if the attached service account was deactivated.

Note: There is a known issue where deleting and re-creating a service accountwith the same name can cause instance identity information to becomeunavailable.
ERROR:Data collected from stderr for instance data collection "b'Unable to access instance identity information\n'"

To access the instance metadata foridentity tokensall VMs must have an associatedservice account.

For more information, read thePublic Cloud Infrastructure Update.

To check the status of your VM's service account, run the following command onthe VM:

curl-s-H'Metadata-Flavor: Google'\'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=test'

Example of a successful response with an identity token:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjkzOTd0MDQxSHQ2NDNxNzkzUjY1MDIwNzEyMjZPNnppaTdqNTl3eTciLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJ0ZXN0IiwiYXpwIjoiMjY1MDIwMDUyMzgzMjYyNTk0ODU2IiwiZXhwIjoxNjgzNzEyNTQzLCJpYXQiOjE2ODM3MTI4NjQsImlzcyI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSIsInN1YiI6IjQ1NjA2MzQ5MDg5Mzc0Njg3ODI5NyJ9.EpzQ3NZ8mKStdpH10fL34qsKG0rjQEflzvLJLm2tVNX4xBJAkMhi8lcs5InUEY-QMK3njgbzdzNtD1fXoIfKoeWsqkA8vG3NkBz5zqRrtaB2STcO14H5tjIdTBsrCtET447tRXlGG5cvgMcWnRDZG92-jUZEpWki_Ri4T69X5-bBWkfE2Thm3oSUW4fScdeVOEmOgWnzD2jeVqQ_2YniywvpkT-rLzKfN-5AgN66zgBfXqJVTC90KFMebfiaOoL7z6ZSM9AjZGf45QEMZjxjd-Xzyee6ZWK8s0RE3hJlytb3zYcLt3tJwQ1WhnrC2ToJ-ZmKxxK3xKDLCvCQ6Ny5to

If the VM is unaffected, you receive a token. If the VM is affected, themetadata that's returned is an error message similar the following:

{  "error": "invalid_request",  "error_description": "Service account not enabled on this instance"}

To fix this issue, perform the following steps:

  1. Stop the VM:

    gcloudcomputeinstancesstopVM_NAME

  2. Add a service account to the VM:

    gcloudcomputeinstancesset-service-accountVM_NAME\--serviceaccountSERVICE_ACCOUNT\--no-scopes
    Note: The--no-scopes flag removes all scopes from the VM. If you don'tspecify a flag for access scope, the system assigns default scopes to thecompute instance service account, or the service account retains its currentscopes.

  3. Start the VM:

    gcloudcomputeinstancesstartVM_NAME

  4. After adding the missing service account, run the following command from theVM to re-register SLES:

    sudoregistercloudguest--force-new

Missing required packages

Registration can fail if your VM is missing essential packages likecloud-regionsrv-client,regionServiceClientConfigGCE,cloud-netconfig-gce,orsuseconnect-ng.

To resolve this issue, install the required packages, clean up registrationfiles, and re-register the VM.

  1. Install any missing packages.

    sudozypperinstallPACKAGE_NAME

    ReplacePACKAGE_NAME with the name of themissing package.

  2. Clean up old registration files:

    sudoregistercloudguest--cleansudoSUSEConnect--cleanupsudorm-f/etc/zypp/credentials.d/*sudorm-f/etc/zypp/repos.d/*sudorm-f/etc/zypp/services.d/*

  3. Re-register the VM:

    sudoregistercloudguest--force-new

Wrong python3 symbolic link

If you runregistercloudguest and see theModuleNotFoundError: No modulenamed 'requests' error, an incorrect/usr/bin/python3 symbolic link might bethe cause, for example, if you manually overwrote it.

Traceback (most recent call last):File "/usr/sbin/registercloudguest", line 34, in <module>import requestsModuleNotFoundError: No module named 'requests'

To resolve this issue, re-create the symbolic link to point to the correctPython version.

  1. Confirm the installed Python version on the instance:

    sudozypperinfopython3

  2. Check thepython3 symbolic link:

    ls-ll/usr/bin|grep-ipython3

  3. If the link is incorrect, remove it and create a new link that points tothe correct Python version (for example,python3.6):

    sudorm/usr/bin/python3sudoln-sf/usr/bin/python3.6/usr/bin/python3

SSL certificate verification failed

If certificate files are missing from the/etc/pki/trust/anchors directory,you might see errors likeCurl error 60 orssl.SSLError: [SSL:CERTIFICATE_VERIFY_FAILED]. Here's a more detailed example of an error youmight see in/var/log/cloudregister:

Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 677, in urlopen ... File "/usr/lib64/python3.6/ssl.py", line 689, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

You can confirm that certificate files are missing by running the following commandand seeing empty output:

ls-lart/etc/pki/trust/anchors

The output should be empty if certificates are missing:

total 0

To resolve this issue, try one of the following options:

libzypp package incompatibility

A PAYG SUSE VM with SLES for SAP 15 might fail to register with an error similarto the following:

ERROR:Baseproduct registration failedRegistering system to registration proxy https://smt-gce.susecloud.net...command '/usr/bin/zypper --non-interactive refs SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64' failedError: zypper returned 1 with 'Error occurred while setting download (curl) options for 'https://smt-gce.susecloud.net/services/2294?credentials=SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64':Unexpected exception.Unknown error reading from 'plugin:/susecloud?credentials=SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64&path=/services/2294'...- Error occurred while setting download (curl) options for 'https://smt-gce.susecloud.net/services/2294?credentials=SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64':

This issue can occur when an update to thelibzypp package leaves anincompatible version of thelibcurl4 package. Whenlibzypp tries toself-update, it can no longer uselibcurl4 to make requests to packagelocations.

To resolve this issue, manually update thelibzypp package. The followingcommand is an example, and you might need to adjust the version number:

sudorpm-ilibzypp-17.31.31-150400.3.52.2.x86_64.rpm

Unsupported OS version or outdated packages

If you're running an OS version that is outside of its general supportperiod—for example, SLES 12 SP4, for which General Support ended June 30,2020—registration might fail. This failure can occur because outdated packageson the VM are unable to communicate with SUSE update infrastructure. You might seeerrors about unreachable IPs in the/var/log/cloudregister log file, even ifnetwork connectivity seems partially successful (for example, if usingtelnet to SMTservers returns a403 Forbidden error).

To check if packages are outdated, you can view their installation dates. Packagesthat haven't been updated in over a year might be outdated. To checkthe last update time for a package, use the following command:

rpm-qa--qf'%{NAME}-%{VERSION} : %{INSTALLTIME:date}\n'|grepPACKAGE_NAME

To resolve this issue, upgrade to asupported SLES version. You might also need toupdate specific packages as described inSUSE Technical Information Documents (TIDs).

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.