Bug 1360909
Summary: | Clients unable to access newly released content (Satellite 6.2 GA) | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Mike McCune <mmccune> | |
Component: | subscription-manager | Assignee: | candlepin-bugs | |
Status: | CLOSED ERRATA | QA Contact: | John Sefler <jsefler> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 7.3 | CC: | ahuchcha, bcourt, bkearney, crog, dmoessne, fcami, ggatward, hajek, it-eng-bz, jentrena, jmatthew, kdixon, ktordeur, mmello, nshaik, pmutha, redakkan, risantam, rjerrido, skallesh, sreber, tcarlin, timoran, vrjain, xdmoon | |
Target Milestone: | beta | Keywords: | Reopened | |
Target Release: | 7.3 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | subscription-manager-1.17-10-1 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1373633 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-03 20:30:04 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1385841 |
Description
Mike McCune
2016-07-27 19:45:44 UTC
This appears to be an issue where a product is refreshed and if only a content set is changed the entitlement for a consumer is not marked as dirty. If I manually force certificate regeneration for the consumer with the rest API it fixes the problem. curl -s --cert /etc/pki/consumer/cert.pem --key /etc/pki/consumer/key.pem -k -X PUT https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/certificates (In reply to Barnaby Court from comment #1) > This appears to be an issue where a product is refreshed and if only a > content set is changed the entitlement for a consumer is not marked as > dirty. If I manually force certificate regeneration for the consumer with > the rest API it fixes the problem. > > curl -s --cert /etc/pki/consumer/cert.pem --key /etc/pki/consumer/key.pem > -k -X PUT > https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/ > certificates Note, the above is meant to be run on the Satellite in question. And the consumer_id is provided via 'subscription-manager identity' An directly pasteable command is CONSUMERID=$(subscription-manager identity | head -1 | cut -f 2 -d ":") curl -s --cert /etc/pki/consumer/cert.pem --key /etc/pki/consumer/key.pem -k -X PUT "https://subscription.rhn.redhat.com/subscription/consumers/$CONSUMERID/certificates" Customer is reporting that after applying the above steps: - they now have access to rhel-7-server-satellite-6.2-rpms but - they do not have access to the capsule or tools repos for 6.2: 2016-07-28 09:40:29 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.2/os/repodata 2016-07-28 09:47:24 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.2/os/repodata/repomd.xml (Katello::Errors::SecurityViolation) Is this also related with this issue or is it a different problem? The above is a different issue. This KCS here appears to resolve the issue: https://access.redhat.com/solutions/1582083 We have modified some data in the customer portal which should refresh this issue. If you are using subscription-manager please execute the following: subscription-manager refresh If you are using Satellite 6, please go to Content -> Red Hat Subscriptions -> Manage Manifest and click the "Refresh Manifest" button The data should now be available. I will leave this bug open until I get customer feedback that it is fixed. As an additional workaround/solution to the problem, subscription manager has been updated accordingly: commit 0a2f90c86f4d7a6aec88a6fe3d3e91bbff6b2e8f Author: Chris Rog <crog> Date: Fri Jul 29 12:21:22 2016 -0400 1360909: The refresh command now requests entitlement cert regeneration - When the refresh command is issued on the CLI, subman will request entitlement certificate regeneration (lazily) for the active consumer based on the verification step in comment 16 , moving the bug to verified re-opening this as it appears to be re-occurring Moving back to on_qa as the fix in sub-man 1.17 has been taken care of and verified in test environments. I cloned to it-pnt for the portal fix to open the firewall rules to enable the updates here to work. This should be moved back to verified & released Moving back to VERIFIED per the testing in comment 16 used to verify the developer's fix in comment 13. Note that this verification applies to the subscription-manager component changes only. Additional changes are needed server-side (by IT-Candlepin) so that a subscription-manager refresh will pick up the newly released content from the entitlement server. Per comment 31, the server-side work is now being tracked in cloned bug 1373633 where all of the external trackers have been copied to. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2592.html |