Bug 1510136
Summary: | RHUI 2/3 does not account for Candlepin 2 behavior of regenerating dirty certificates when updates needed | ||
---|---|---|---|
Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Craig Donnelly <cdonnell> |
Component: | Tools | Assignee: | RHUI Bug List <rhui-bugs> |
Status: | CLOSED ERRATA | QA Contact: | Vratislav Hutsky <vhutsky> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 2.1 | CC: | bcourt, bkearney, cdonnell, hfukumot, hmore, kdixon, kfujii, kkohata, mkubik, mshimura, nyamashi, pcantle, rbiba, rhui-bugs, ssato, syamamot, tasander, tbhowmik, ykawada |
Target Milestone: | 3.0.3 | Keywords: | PrioBumpGSS |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-05-16 12:48:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Craig Donnelly
2017-11-06 18:16:04 UTC
There is an additional recovery step required for this in the case of RHUI 3. At this point, it appears that RHUI 3 will cache the entitlement certificates on the shared storage endpoint for use with the importers. In our test case, the remote storage is mounted at /var/lib/rhui/remote_share on the RHUA. Inside this directory there is an 'importers' directory, which contains a directory per active repository on the RHUA. Within each of those repository directories there is a 'pki' directory which contains a copy of the CA, client cert, and key. The client cert inside this directory does not get updated when you import a new entitlement cert into RHUI 3, and therefore to get RHUI 3 to sync any of these repositories again, you must remove the repo and re-add it inside rhui-manager. This will delete the directory for that repo and re-create it, also adding the new correct entitlement certificates. The way to get this working is to use the following steps: 1. Login to rhui-manager on the RHUA and remove all repositories that will not sync. 2. Delete the user.crt due to caching via: `rm .rhui/<RHUA HOSNAME>/user.crt` 3. Login to rhui-manager, refresh your list of repositories and re-add all removed repositories. 4. Sync. At that point, you should then be able to sync the repo on RHUI 3 again. Unfortunately, you would need to do this process for ALL repositories you had enabled when the entitlement cert became expired/revoked. One quick note/modification to comment 3 above: You could instead of deactivating all repositories, only deactivate and re-activate a single repository that is not working. In that instance, you could then go get the certificates in the .../importers/<REPO>/pki directory on the shared storage and then copy them and overwrite all the others in the other repository directories. I think this would be a significant shortcut to the procedure outlined above. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1569 |