Bug 1360909

Summary: Clients unable to access newly released content (Satellite 6.2 GA)
Product: Red Hat Enterprise Linux 7 Reporter: Mike McCune <mmccune>
Component: subscription-managerAssignee: candlepin-bugs
Status: CLOSED ERRATA QA Contact: John Sefler <jsefler>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: ahuchcha, bcourt, bkearney, crog, dmoessne, fcami, ggatward, hajek, it-eng-bz, jentrena, jmatthew, kdixon, ktordeur, mmello, nshaik, pmutha, redakkan, risantam, rjerrido, skallesh, sreber, tcarlin, timoran, vrjain, xdmoon
Target Milestone: betaKeywords: Reopened
Target Release: 7.3   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: subscription-manager-1.17-10-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1373633 (view as bug list) Environment:
Last Closed: 2016-11-03 20:30:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1385841    

Description Mike McCune 2016-07-27 19:45:44 UTC
Satellite 6.2 GA-ed today and users are unable to access the newly released 6.2 repositories that are part of their subscription:


Attempts to enable these repositories are met with errors that the repository does not exist:

# subscription-manager repos --enable rhel-7-server-satellite-6.2-rpms
Error: rhel-7-server-satellite-6.2-rpms is not a valid repository ID. Use --list option to see valid repositories.

attempts to run 'subscription-manager refresh' do not resolve the issue. The only work around is to completely un-register and re-register the system to get access to the newly released content:


# subscription-manager identity (make note of the system id value)
# subscription-manager clean
# subscription-manager register --consumerid=<SYSTEM_IDENTITY>
# subscription-manager remove --all
# subscription-manager attach --pool=<SATELLITE_SUB_POOL> 
# subscription-manager repos --enable rhel-6-server-satellite-6.2-rpms

Comment 1 Barnaby Court 2016-07-27 20:12:37 UTC
This appears to be an issue where a product is refreshed and if only a content set is changed the entitlement for a consumer is not marked as dirty. If I manually force certificate regeneration for the consumer with the rest API it fixes the problem.

curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem  -k -X PUT https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/certificates

Comment 2 Rich Jerrido 2016-07-27 20:21:57 UTC
(In reply to Barnaby Court from comment #1)
> This appears to be an issue where a product is refreshed and if only a
> content set is changed the entitlement for a consumer is not marked as
> dirty. If I manually force certificate regeneration for the consumer with
> the rest API it fixes the problem.
> curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem 
> -k -X PUT
> https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/
> certificates

Note, the above is meant to be run on the Satellite in question. And the consumer_id is provided via 'subscription-manager identity' 

An directly pasteable command is 

CONSUMERID=$(subscription-manager identity | head -1 | cut -f 2 -d ":")
curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem  -k -X PUT "https://subscription.rhn.redhat.com/subscription/consumers/$CONSUMERID/certificates"

Comment 5 Julio Entrena Perez 2016-07-28 08:55:35 UTC
Customer is reporting that after applying the above steps:

- they now have access to rhel-7-server-satellite-6.2-rpms


- they do not have access to the capsule or tools repos for 6.2:

2016-07-28 09:40:29 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.2/os/repodata

2016-07-28 09:47:24 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.2/os/repodata/repomd.xml (Katello::Errors::SecurityViolation)

Is this also related with this issue or is it a different problem?

Comment 6 Mike McCune 2016-07-28 17:11:12 UTC
The above is a different issue. This KCS here appears to resolve the issue:


Comment 11 Bryan Kearney 2016-08-02 21:56:30 UTC
We have modified some data in the customer portal which should refresh this issue. If you are using subscription-manager please execute the following:

subscription-manager refresh

If you are using Satellite 6, please go to 

Content -> Red Hat Subscriptions -> Manage Manifest 

and click the "Refresh Manifest" button

The data should now be available.

I will leave this bug open until I get customer feedback that it is fixed.

Comment 13 Chris "Ceiu" Rog 2016-08-08 19:53:33 UTC
As an additional workaround/solution to the problem, subscription manager has been updated accordingly:

commit 0a2f90c86f4d7a6aec88a6fe3d3e91bbff6b2e8f
Author: Chris Rog <crog>
Date:   Fri Jul 29 12:21:22 2016 -0400

    1360909: The refresh command now requests entitlement cert regeneration
    - When the refresh command is issued on the CLI, subman will request
      entitlement certificate regeneration (lazily) for the active consumer

Comment 17 Rehana 2016-08-10 13:46:41 UTC
based on the verification step in comment 16 , moving the bug to verified

Comment 27 Mike McCune 2016-08-22 16:32:23 UTC
re-opening this as it appears to be re-occurring

Comment 31 Barnaby Court 2016-09-06 20:38:52 UTC
Moving back to on_qa as the fix in sub-man 1.17 has been taken care of and verified in test environments. I cloned to it-pnt for the portal fix to open the firewall rules to enable the updates here to work. This should be moved back to verified & released

Comment 32 John Sefler 2016-09-06 21:16:51 UTC
Moving back to VERIFIED per the testing in comment 16 used to verify the developer's fix in comment 13.  Note that this verification applies to the subscription-manager component changes only.  Additional changes are needed server-side (by IT-Candlepin) so that a subscription-manager refresh will pick up the newly released content from the entitlement server.  Per comment 31, the server-side work is now being tracked in cloned bug 1373633 where all of the external trackers have been copied to.

Comment 34 errata-xmlrpc 2016-11-03 20:30:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.