Bug 1961886

Summary: pulp3: Client receives 403 forbidden when fetching RHEL content when using custom certificates
Product: Red Hat Satellite Reporter: Eric Helms <ehelms>
Component: InstallationAssignee: Justin Sherrill <jsherril>
Status: CLOSED ERRATA QA Contact: Omkar Khatavkar <okhatavk>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4CC: egolov, lhellebr, mdellweg, peter.vreman
Target Milestone: 6.10.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-16 14:10:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1957813    

Description Eric Helms 2021-05-18 22:18:54 UTC 
Discord thread: https://community.theforeman.org/t/errno-14-https-error-403-forbidden-redhat-repositories-only/21041

<pre>
Katello is still using its self-signed default CA to distribute entitlement certificates. This is expected.

However, pulpcore certguard has the wrong CA configured in its database - it has picked up the Server CA, which should only be used for clients to authenticate the server certificate.

Updating the content of ca_certificate in pulpcore:certguard_rhsmcertguard fixes the issue and allows clients to access the repo.

psql -d pulpcore
pulpcore=# \set content cat /etc/pki/katello/certs/katello-default-ca-stripped.crt``
pulpcore=# update certguard_rhsmcertguard SET ca_certificate = :'content' ;
</pre>
Comment 1 Eric Helms 2021-05-18 22:18:58 UTC 
Created from redmine issue https://projects.theforeman.org/issues/32624
Comment 2 Eric Helms 2021-05-18 22:19:00 UTC 
Upstream bug assigned to ehelms
Comment 3 Bryan Kearney 2021-05-28 10:17:52 UTC 
Upstream bug assigned to jsherril
Comment 4 Bryan Kearney 2021-05-28 10:17:54 UTC 
Upstream bug assigned to jsherril
Comment 5 Bryan Kearney 2021-06-07 20:02:21 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/32624 has been resolved.
Comment 6 Lukáš Hellebrandt 2021-06-16 16:15:08 UTC 
FYI I've just hit this in 6.10.0 snap 4.0.
Comment 7 Justin Sherrill 2021-07-06 15:36:33 UTC 
adding 6.9.z flag, as i think backporting is worth it
Comment 8 Justin Sherrill 2021-07-06 15:36:55 UTC 
*** Bug 1977893 has been marked as a duplicate of this bug. ***
Comment 13 errata-xmlrpc 2021-11-16 14:10:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702