Introduction

Running SUSE Linux Enterprise Server (SLES) on AWS EC2 requires proper registration with the SUSE Update Infrastructure to receive updates and patches. Registration failures are a common issue, particularly when instances are launched from older or deprecated Amazon Machine Images (AMIs). This guide walks you through diagnosing and resolving SUSE registration issues on AWS.

Understanding the Problem

SUSE Linux Enterprise Server instances on AWS connect to the SUSE public cloud update infrastructure to receive software updates. This registration process relies on several components:

• cloud-regionsrv-client — Manages communication with SUSE region servers
• regionServiceClientConfigEC2 — EC2-specific configuration for the region service
• suseconnect-ng — The SUSE registration tool
• RMT (Repository Mirroring Tool) servers — Regional servers that provide package repositories

When these components become outdated or misconfigured, registration fails, leaving your instance unable to receive updates.

Common Causes of Registration Failure

Deprecated or Outdated AMIs

AWS Marketplace AMIs for SUSE are regularly updated. Older AMIs contain outdated registration packages that may no longer be compatible with the current SUSE Update Infrastructure.

How to check if your AMI is deprecated:

1. Navigate to the EC2 Console
2. Go to AMIs under Images
3. Search for your AMI ID
4. Check the Deprecation Date field

If your AMI’s deprecation date has passed, the registration packages are likely outdated.

Outdated Registration Packages

The SUSE public cloud registration system is updated periodically. Instances running old package versions may fail to authenticate or connect to the update servers.

Network Connectivity Issues

Registration requires outbound connectivity to:

• SUSE region servers
• RMT (Repository Mirroring Tool) servers
• AWS metadata service (169.254.169.254)

Corrupted Registration State

Previous failed registration attempts or interrupted updates can leave the registration system in an inconsistent state.

Step 1: Check Current Registration Status

First, verify your instance’s registration status:

sudo SUSEConnect -s

If registered, you’ll see a list of registered products with their status. If unregistered, you’ll see an error or empty response.

Check available repositories:

sudo zypper lr --uri -E

This shows all configured repositories. An unregistered system will have no SUSE repositories or show errors accessing them.

Step 2: Run the SUSE Cloud Repository Check Script

SUSE provides an official diagnostic script called sc-repocheck that automatically diagnoses and attempts to fix common registration issues.

What the Script Checks

• Package versions
• Baseproduct configuration
• /etc/hosts for multiple or conflicting records
• Metadata service access
• Region server access
• RMT server entry is for the correct region
• HTTP port access to RMT servers
• HTTPS port access to RMT servers
• HTTPS access using RMT certificates

Download and Run the Script

curl -O https://raw.githubusercontent.com/SUSE/susecloud-repocheck/main/sc-repocheck.py
sudo python3 sc-repocheck.py

⚠️ Note: This command requires internet access from the instance. If your instance is in a private subnet without internet access, download the script separately and transfer it to the instance.

Successful Output Example

A successful run looks like this:

2024-01-14 15:17:48,988 INFO: ~~ sc-repocheck 1.3.1 ~~
2024-01-14 15:17:48,991 INFO: Checking package versions.
2024-01-14 15:17:48,998 INFO: Package versions OK.
2024-01-14 15:17:49,000 INFO: Checking baseproduct.
2024-01-14 15:17:49,000 INFO: SLES_SAP baseproduct OK.
2024-01-14 15:17:49,000 INFO: Checking /etc/hosts for multiple records.
2024-01-14 15:17:49,000 INFO: /etc/hosts OK.
2024-01-14 15:17:49,001 INFO: Checking metadata access.
2024-01-14 15:17:49,009 INFO: Metadata OK.
2024-01-14 15:17:49,009 INFO: Checking regionserver access.
2024-01-14 15:17:56,205 INFO: Region server access OK.
2024-01-14 15:17:56,205 INFO: Checking RMT server entry is for correct region.
2024-01-14 15:17:56,207 INFO: RMT server entry OK.
2024-01-14 15:17:56,207 INFO: Checking http port access to RMT servers.
2024-01-14 15:17:56,207 INFO: http check unnecessary.
2024-01-14 15:17:56,207 INFO: Checking https port access to RMT servers.
2024-01-14 15:17:56,276 INFO: https access OK.
2024-01-14 15:17:56,276 INFO: Checking https access using RMT certs.
2024-01-14 15:17:56,293 INFO: RMT certs OK.
2024-01-14 15:17:56,293 INFO: EVERYTHING OK.
2024-01-14 15:17:56,293 INFO: Collecting debug data. Please wait 1-2 minutes maybe longer, depending on machine type.
Instance registry setup done, sessions must be restarted !
Registration succeeded
2024-01-14 15:20:36,001 INFO: Check repositories. An attempt was made to fix.
2024-01-14 15:20:36,002 INFO: Debug data location: /var/log/sc-repocheck_240114_151756.tar.xz
2024-01-14 15:20:36,012 INFO: Report bugs to https://github.com/SUSE/susecloud-repocheck/issues

If the script shows “Registration succeeded”, verify by running:

sudo SUSEConnect -s
sudo zypper lr --uri -E

Step 3: Check Package Versions (If Script Fails)

If the diagnostic script fails or reports errors, check your current package versions:

rpm -qa | grep -E "cloud-regionsrv-client|regionServiceClientConfigEC2|python3-ec2metadata|python3-toml|python3-dnspython|suseconnect-ng|libcontainers-common|libcontainers-sles-mounts"

Reference Package Versions for SLES 15 SP4

Compare your output with these known working versions:

If your package versions are significantly older or some packages are missing, proceed to Step 4.

Step 4: Manual Package Update (Advanced)

If the automatic script cannot fix the issue due to severely outdated packages, you’ll need to manually update the registration packages.

⚠️ Important: Before making any changes, create an AMI backup or EBS snapshot of your affected instance.

Method Overview

1. Download current packages from a working SLES instance
2. Transfer packages to the affected instance
3. Install packages manually
4. Clean up and re-register

Step 4.1: Download Packages from a Working Instance

If you don’t have a registered SLES instance, launch a new instance using a current public AMI from the AWS Marketplace.

On the working instance, run:

# Create directory for packages
sudo mkdir -p /root/packages/rpms

# Download required packages
sudo zypper --pkg-cache-dir /root/packages/ download \
  cloud-regionsrv-client \
  cloud-regionsrv-client-plugin-ec2 \
  regionServiceClientConfigEC2 \
  python3-ec2metadata \
  python3-toml \
  python3-dnspython \
  suseconnect-ng \
  libcontainers-common \
  libcontainers-sles-mounts

# Collect all RPMs into one directory
sudo find /root/packages/ -type f -name "*.rpm" -exec cp {} /root/packages/rpms/ \;

# Create archive for transfer
cd /root/packages
sudo tar -czvf suse-registration-packages.tar.gz rpms

Step 4.2: Transfer the Package Archive

Transfer the archive to your affected instance using your preferred method:

Using SCP:

scp /root/packages/suse-registration-packages.tar.gz user@<affected-instance-ip>:/tmp/

Using S3:

# On working instance
aws s3 cp /root/packages/suse-registration-packages.tar.gz s3://your-bucket-name/

# On affected instance
aws s3 cp s3://your-bucket-name/suse-registration-packages.tar.gz /tmp/

Step 4.3: Install Packages on the Affected Instance

On the affected instance:

# Extract the archive
cd /tmp
tar -xvzf suse-registration-packages.tar.gz
cd rpms

# Install all packages
sudo rpm -Uvh --nodeps \
  cloud-regionsrv-client-*.rpm \
  cloud-regionsrv-client-plugin-ec2-*.rpm \
  libcontainers-common-*.rpm \
  libcontainers-sles-mounts-*.rpm \
  python3-dnspython-*.rpm \
  python3-ec2metadata-*.rpm \
  python3-toml-*.rpm \
  regionServiceClientConfigEC2-*.rpm \
  suseconnect-ng-*.rpm

📌 Note: The --nodeps flag bypasses dependency checking. This is necessary because the old registration system may not be able to resolve dependencies. The packages we’re installing are self-contained for the registration process.

Step 4.4: Clean Up Registration State and Re-Register

After installing the updated packages, perform a clean registration:

# Clean existing registration
sudo registercloudguest --clean

# Remove old configuration files
sudo rm -f /etc/SUSEConnect
sudo rm -f /var/lib/cloudregister/currentSMTInfo.obj
sudo rm -rf /etc/zypp/{credentials,services,repos}.d/*

# Remove old certificates
sudo rm -f /usr/share/pki/trust/anchors/registration_server_*.pem
sudo rm -f /etc/pki/trust/anchors/registration_server_*.pem

# Clear cloud register data
sudo rm -rf /var/lib/cloudregister/*
sudo rm -rf /var/cache/zypp/*

# Clean hosts file entries
sudo sed -i '/smt-ec2/d' /etc/hosts
sudo sed -i '/registry-ec2/d' /etc/hosts

# Clear registration log
sudo sh -c '> /var/log/cloudregister'

# Force new registration
sudo registercloudguest --force-new

Step 4.5: Verify Registration

Confirm the registration was successful:

# Check registration status
sudo SUSEConnect -s

# List repositories
sudo zypper lr --uri -E

# Refresh repositories
sudo zypper refresh

A successful registration will show:

• SUSEConnect -s displays registered products with status “Registered”
• zypper lr shows multiple SUSE repositories
• zypper refresh completes without errors

Troubleshooting Common Errors

Error: “No region servers available”

Cause: Network connectivity issue to SUSE region servers.

Solution:

1. Check security group allows outbound HTTPS (port 443)
2. Verify NACL rules permit outbound traffic
3. Ensure route table has proper internet or NAT gateway route
4. Test connectivity:

curl -v https://smt-ec2.susecloud.net/

Error: “Metadata service not accessible”

Cause: Instance cannot reach AWS metadata service.

Solution:

1. Verify instance is not using IMDSv2 with a hop limit that’s too restrictive
2. Check local firewall rules:

sudo iptables -L -n
curl http://169.254.169.254/latest/meta-data/

Error: “Certificate verification failed”

Cause: Outdated or missing RMT certificates.

Solution:

sudo update-ca-certificates
sudo registercloudguest --force-new

Error: “Product not found” or “No subscription”

Cause: The product you’re trying to register isn’t included in your SUSE subscription.

Solution:

• Verify your SUSE subscription covers the product
• For PAYG (Pay-As-You-Go) instances from AWS Marketplace, no subscription is needed
• For BYOS (Bring Your Own Subscription), ensure valid subscription credentials

Best Practices

Use Current AMIs

Always launch new instances from the latest available AMIs. Check the AWS Marketplace or SUSE’s Public Cloud Information Tracker (PINT) for current images.

Regular Updates

Keep registration packages updated as part of your regular patching schedule:

sudo zypper update cloud-regionsrv-client suseconnect-ng

Monitor Registration Status

Include registration status checks in your monitoring:

# Script to check registration
#!/bin/bash
if sudo SUSEConnect -s | grep -q "Registered"; then
    echo "SUSE registration OK"
    exit 0
else
    echo "SUSE registration FAILED"
    exit 1
fi

Create Golden AMIs

After successfully registering and updating a SLES instance:

1. Update all packages
2. Verify registration
3. Create an AMI
4. Use this AMI for future launches

Conclusion

SUSE registration issues on AWS EC2 are typically caused by outdated AMIs or registration packages. The SUSE sc-repocheck script handles most cases automatically. For instances with severely outdated packages, manual package updates followed by a clean re-registration will restore connectivity to the SUSE Update Infrastructure.

Regularly updating your base AMIs and keeping registration packages current will help prevent these issues in the future.

References

• SUSE Public Cloud Information Tracker (PINT)
• SUSEcloud repocheck Script (GitHub)
• SUSE Knowledge Base Article 000021552
• SUSE Linux Enterprise Server Documentation
• AWS Marketplace – SUSE Products