Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1360909 - Clients unable to access newly released content (Satellite 6.2 GA)
Summary: Clients unable to access newly released content (Satellite 6.2 GA)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 7.3
Assignee: candlepin-bugs
QA Contact: John Sefler
URL:
Whiteboard:
Depends On:
Blocks: CEE_Sat6_Top_BZs, GSS_Sat6_Top_Bugs
TreeView+ depends on / blocked
 
Reported: 2016-07-27 19:45 UTC by Mike McCune
Modified: 2018-03-05 13:14 UTC (History)
25 users (show)

Fixed In Version: subscription-manager-1.17-10-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-03 20:30:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github candlepin subscription-manager pull 1459 None None None 2016-08-08 19:56:01 UTC
Red Hat Bugzilla 1366301 None CLOSED subscription-manager refresh causes: Server error attempting a PUT to /subscription/consumers/<UUID>/certificates?lazy_r... 2019-04-15 14:08:56 UTC
Red Hat Bugzilla 1440001 None CLOSED Entitlement certs are deleted and re-generated after running 'subscription-manager refresh' against Stage candlepin 2019-04-15 14:08:56 UTC
Red Hat Knowledge Base (Solution) 2472261 None None None 2016-10-26 18:20:57 UTC
Red Hat Product Errata RHSA-2016:2592 normal SHIPPED_LIVE Moderate: subscription-manager security, bug fix, and enhancement update 2016-11-03 12:10:42 UTC

Internal Links: 1366301 1440001

Description Mike McCune 2016-07-27 19:45:44 UTC
Satellite 6.2 GA-ed today and users are unable to access the newly released 6.2 repositories that are part of their subscription:

 rhel-6-server-satellite-6.2-rpms 
 rhel-7-server-satellite-6.2-rpms 

Attempts to enable these repositories are met with errors that the repository does not exist:

# subscription-manager repos --enable rhel-7-server-satellite-6.2-rpms
Error: rhel-7-server-satellite-6.2-rpms is not a valid repository ID. Use --list option to see valid repositories.

attempts to run 'subscription-manager refresh' do not resolve the issue. The only work around is to completely un-register and re-register the system to get access to the newly released content:

WORKAROUND:

# subscription-manager identity (make note of the system id value)
# subscription-manager clean
# subscription-manager register --consumerid=<SYSTEM_IDENTITY>
# subscription-manager remove --all
# subscription-manager attach --pool=<SATELLITE_SUB_POOL> 
# subscription-manager repos --enable rhel-6-server-satellite-6.2-rpms

Comment 1 Barnaby Court 2016-07-27 20:12:37 UTC
This appears to be an issue where a product is refreshed and if only a content set is changed the entitlement for a consumer is not marked as dirty. If I manually force certificate regeneration for the consumer with the rest API it fixes the problem.

curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem  -k -X PUT https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/certificates

Comment 2 Rich Jerrido 2016-07-27 20:21:57 UTC
(In reply to Barnaby Court from comment #1)
> This appears to be an issue where a product is refreshed and if only a
> content set is changed the entitlement for a consumer is not marked as
> dirty. If I manually force certificate regeneration for the consumer with
> the rest API it fixes the problem.
> 
> curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem 
> -k -X PUT
> https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/
> certificates

Note, the above is meant to be run on the Satellite in question. And the consumer_id is provided via 'subscription-manager identity' 

An directly pasteable command is 

CONSUMERID=$(subscription-manager identity | head -1 | cut -f 2 -d ":")
curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem  -k -X PUT "https://subscription.rhn.redhat.com/subscription/consumers/$CONSUMERID/certificates"

Comment 5 Julio Entrena Perez 2016-07-28 08:55:35 UTC
Customer is reporting that after applying the above steps:

- they now have access to rhel-7-server-satellite-6.2-rpms

but

- they do not have access to the capsule or tools repos for 6.2:

2016-07-28 09:40:29 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.2/os/repodata

2016-07-28 09:47:24 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.2/os/repodata/repomd.xml (Katello::Errors::SecurityViolation)

Is this also related with this issue or is it a different problem?

Comment 6 Mike McCune 2016-07-28 17:11:12 UTC
The above is a different issue. This KCS here appears to resolve the issue:

https://access.redhat.com/solutions/1582083

Comment 11 Bryan Kearney 2016-08-02 21:56:30 UTC
We have modified some data in the customer portal which should refresh this issue. If you are using subscription-manager please execute the following:

subscription-manager refresh

If you are using Satellite 6, please go to 

Content -> Red Hat Subscriptions -> Manage Manifest 

and click the "Refresh Manifest" button

The data should now be available.

I will leave this bug open until I get customer feedback that it is fixed.

Comment 13 Chris "Ceiu" Rog 2016-08-08 19:53:33 UTC
As an additional workaround/solution to the problem, subscription manager has been updated accordingly:


commit 0a2f90c86f4d7a6aec88a6fe3d3e91bbff6b2e8f
Author: Chris Rog <crog@redhat.com>
Date:   Fri Jul 29 12:21:22 2016 -0400

    1360909: The refresh command now requests entitlement cert regeneration
    
    - When the refresh command is issued on the CLI, subman will request
      entitlement certificate regeneration (lazily) for the active consumer

Comment 17 Rehana 2016-08-10 13:46:41 UTC
based on the verification step in comment 16 , moving the bug to verified

Comment 27 Mike McCune 2016-08-22 16:32:23 UTC
re-opening this as it appears to be re-occurring

Comment 31 Barnaby Court 2016-09-06 20:38:52 UTC
Moving back to on_qa as the fix in sub-man 1.17 has been taken care of and verified in test environments. I cloned to it-pnt for the portal fix to open the firewall rules to enable the updates here to work. This should be moved back to verified & released

Comment 32 John Sefler 2016-09-06 21:16:51 UTC
Moving back to VERIFIED per the testing in comment 16 used to verify the developer's fix in comment 13.  Note that this verification applies to the subscription-manager component changes only.  Additional changes are needed server-side (by IT-Candlepin) so that a subscription-manager refresh will pick up the newly released content from the entitlement server.  Per comment 31, the server-side work is now being tracked in cloned bug 1373633 where all of the external trackers have been copied to.

Comment 34 errata-xmlrpc 2016-11-03 20:30:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2592.html


Note You need to log in before you can comment on or make changes to this bug.