Project

General

Profile

Bug #32624

Client receives 403 forbidden when fetching RHEL content when using custom certificates

Added by Eric Helms about 1 year ago. Updated 12 months ago.

Status:
Closed
Priority:
Normal
Category:
Repositories
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Discord thread: https://community.theforeman.org/t/errno-14-https-error-403-forbidden-redhat-repositories-only/21041

Katello is still using its self-signed default CA to distribute entitlement certificates. This is expected.

However, pulpcore certguard has the wrong CA configured in its database - it has picked up the Server CA, which should only be used for clients to authenticate the server certificate.

Updating the content of ca_certificate in pulpcore:certguard_rhsmcertguard fixes the issue and allows clients to access the repo.

psql -d pulpcore
pulpcore=# \set content `cat /etc/pki/katello/certs/katello-default-ca-stripped.crt``
pulpcore=# update certguard_rhsmcertguard SET ca_certificate = :'content' ;

Related issues

Related to Katello - Bug #32784: Error: undefined methodpulp_href’ for nil:NilClass` when syncing capsuleClosed

Associated revisions

Revision 8dfd072e (diff)
Added by Justin Sherrill 12 months ago

Fixes #32624 - use correct ca for content guard

and properly update content guard if ca changes

History

#1 Updated by Eric Helms about 1 year ago

  • Bugzilla link set to 1961886

#2 Updated by Eric Helms about 1 year ago

The certificate does not get updated if it changes automatically and this will need to be fixed in addition.

#3 Updated by Eric Helms about 1 year ago

  • Assignee deleted (Eric Helms)
  • Status changed from Assigned to New

#4 Updated by Eric Helms about 1 year ago

  • Description updated (diff)

#5 Updated by Justin Sherrill 12 months ago

  • Project changed from Installer to Katello

#6 Updated by Chris Roberts 12 months ago

  • Triaged changed from No to Yes
  • Target version set to Katello 4.0.2
  • Assignee set to Justin Sherrill
  • Category set to Repositories

#7 Updated by Chris Roberts 12 months ago

  • Status changed from New to Ready For Testing

#8 Updated by The Foreman Bot 12 months ago

  • Pull request https://github.com/Katello/katello/pull/9381 added

#9 Updated by The Foreman Bot 12 months ago

  • Fixed in Releases Katello 4.2.0 added

#10 Updated by Justin Sherrill 12 months ago

  • Status changed from Ready For Testing to Closed

#11 Updated by Justin Sherrill 12 months ago

  • Related to Bug #32784: Error: undefined methodpulp_href’ for nil:NilClass` when syncing capsule added

Also available in: Atom PDF