Bug 2223405
| Summary: | `rhc connect` fails to contact config manager w/stage | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | jaudet | |
| Component: | rhc | Assignee: | Alba Hita <ahitacat> | |
| Status: | CLOSED ERRATA | QA Contact: | Red Hat subscription-manager QE Team <rhsm-qe> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 8.8 | CC: | ahitacat, arpandey, cmarinea, fjansen, pakotvan, qianzhan, zpetrace | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | rhc-0.2.4-1.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2227018 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-14 15:36:50 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2227018 | |||
Pre-verification: 1. Provision a system in beaker: RHEL-8.9.0-updates-20230730.d.31 BaseOS x86_64: [root@dell-per740-68-vm-05 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.9 Beta (Ootpa) [root@dell-per740-68-vm-05 ~]# rhc --version rhc version 0.2.2 2. Update rhc version by copr: [root@dell-per740-68-vm-05 yum.repos.d]# curl -o rhc.repo https://copr.devel.redhat.com/coprs/ahitacat/rhc/repo/rhel-8.dev/ahitacat-rhc-rhel-8.dev.repo % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 330 100 330 0 0 280 0 0:00:01 0:00:01 -::- 280 [root@dell-per740-68-vm-05 yum.repos.d]# dnf repolist Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. repo id repo name copr:copr.devel.redhat.com:ahitacat:rhc Copr repo for rhc owned by ahitacat [root@dell-per740-68-vm-05 yum.repos.d]# dnf update --repoid=copr:copr.devel.redhat.com:ahitacat:rhc Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Copr repo for rhc owned by ahitacat 1.1 kB/s | 2.1 kB 00:01 Dependencies resolved. ============================================================================================== Package Arch Version Repository Size ============================================================================================== Upgrading: *rhc * x86_64 1:0.2.4-0.2.git.a67ca4e.el8 copr:copr.devel.redhat.com:ahitacat:rhc 9.8 M Transaction Summary ============================================================================================== Upgrade 1 Package Total download size: 9.8 M Is this ok [y/N]: y Downloading Packages: rhc-0.2.4-0.2.git.a67ca4e.el8.x86_64.rpm 315 kB/s | 9.8 MB 00:31 ---------------------------------------------------------------------------------------------- Total 315 kB/s | 9.8 MB 00:31 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: rhc-1:0.2.4-0.2.git.a67ca4e.el8.x86_64 1/1 Upgrading : rhc-1:0.2.4-0.2.git.a67ca4e.el8.x86_64 1/2 warning: /etc/rhc/config.toml created as /etc/rhc/config.toml.rpmnew Cleanup : rhc-1:0.2.2-1.el8.x86_64 2/2 Running scriptlet: rhc-1:0.2.2-1.el8.x86_64 2/2 Verifying : rhc-1:0.2.4-0.2.git.a67ca4e.el8.x86_64 1/2 Verifying : rhc-1:0.2.2-1.el8.x86_64 2/2 Installed products updated. Upgraded: rhc-1:0.2.4-0.2.git.a67ca4e.el8.x86_64 Complete! [root@dell-per740-68-vm-05 yum.repos.d]# rpm -qa | grep rhc rhc-0.2.4-0.2.git.a67ca4e.el8.x86_64 3. Try the steps in the first comment: [root@dell-per740-68-vm-05 ~]# subscription-manager config --server.hostname=subscription.rhsm.stage.redhat.com [root@dell-per740-68-vm-05 ~]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: insights-qa Password: The system has been registered with ID: a2435307-546a-4b5b-9d49-d1ad166c3f52 The registered system name is: dell-per740-68-vm-05.lab.eng.pek2.redhat.com [root@dell-per740-68-vm-05 ~]# dnf -y update Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) 4.7 MB/s | 10 MB 00:02 Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs) 2.6 MB/s | 3.8 MB 00:01 Dependencies resolved. Nothing to do. Complete! [root@dell-per740-68-vm-05 ~]# dnf -y install rhc-worker-playbook [root@dell-per740-68-vm-05 ~]# cat /etc/rhc/config.toml # yggdrasil global configuration settings broker = ["wss://connect.cloud.stage.redhat.com:443"] data-host = "cert.cloud.stage.redhat.com" log-level = "debug" # optional cert-file = "/etc/pki/consumer/cert.pem" key-file = "/etc/pki/consumer/key.pem" [root@dell-per740-68-vm-05 ~]# systemctl cat rhcd.service # /usr/lib/systemd/system/rhcd.service [Unit] Description=rhc daemon Documentation=https://github.com/redhatinsights/yggdrasil After=network-online.target Requires=network-online.target [Service] Type=simple ExecStart=/usr/sbin/rhcd [Install] WantedBy=multi-user.target # /etc/systemd/system/rhcd.service.d/override.conf [Service] Environment="HTTP_PROXY=http://squid.corp.redhat.com:3128" Environment="HTTPS_PROXY=http://squid.corp.redhat.com:3128" [root@dell-per740-68-vm-05 ~]# cat /etc/insights-client/insights-client.conf | grep proxy # URL for your proxy. Example: http://user:pass@192.168.100.50:8080 proxy=http://squid.corp.redhat.com:3128 [root@dell-per740-68-vm-05 ~]# [root@dell-per740-68-vm-05 ~]# rhc connect Connecting dell-per740-68-vm-05.lab.eng.pek2.redhat.com to Red Hat. This might take a few seconds. ● This system is already connected to Red Hat Subscription Management ● Connected to Red Hat Insights ● Activated the rhc daemon Successfully connected to Red Hat! Manage your connected systems: https://red.ht/connector STEP DURATION rhsm 3ms insights 46.44s rhc 10ms The following errors were encountered during connect: STEP ERROR rhc Cannot get the user profile: Get "https://subscription.rhsm.stage.redhat.com/redhat_access/r/insights/platform/config-manager/v2/profiles/current": tls: failed to verify certificate: x509: certificate signed by unknown authority So set the bug verified: FailedQA (In reply to qianzhan from comment #5) > Pre-verification: > > 1. Provision a system in beaker: RHEL-8.9.0-updates-20230730.d.31 BaseOS > x86_64: > > [root@dell-per740-68-vm-05 ~]# cat /etc/redhat-release > > Red Hat Enterprise Linux release 8.9 Beta (Ootpa) > > > > [root@dell-per740-68-vm-05 ~]# rhc --version > > rhc version 0.2.2 > > > > 2. Update rhc version by copr: > > [root@dell-per740-68-vm-05 yum.repos.d]# curl -o rhc.repo > https://copr.devel.redhat.com/coprs/ahitacat/rhc/repo/rhel-8.dev/ahitacat- > rhc-rhel-8.dev.repo > > % Total % Received % Xferd Average Speed Time Time Time > Current > > Dload Upload Total Spent Left Speed > > 100 330 100 330 0 0 280 0 0:00:01 0:00:01 -::- 280 > > > > > > [root@dell-per740-68-vm-05 yum.repos.d]# dnf repolist > > Updating Subscription Management repositories. > > Unable to read consumer identity > > > > This system is not registered with an entitlement server. You can use > subscription-manager to register. > > > > repo id repo name > > copr:copr.devel.redhat.com:ahitacat:rhc Copr repo for rhc owned by > ahitacat > > [root@dell-per740-68-vm-05 yum.repos.d]# dnf update > --repoid=copr:copr.devel.redhat.com:ahitacat:rhc > > Updating Subscription Management repositories. > > Unable to read consumer identity > > > > This system is not registered with an entitlement server. You can use > subscription-manager to register. > > > > Copr repo for rhc owned by ahitacat 1.1 kB/s | 2.1 > kB 00:01 > > Dependencies resolved. > > ============================================================================= > ================= > > Package > > Arch Version Repository > Size > > ============================================================================= > ================= > > Upgrading: > > *rhc * x86_64 1:0.2.4-0.2.git.a67ca4e.el8 > copr:copr.devel.redhat.com:ahitacat:rhc 9.8 M > > > > Transaction Summary > > ============================================================================= > ================= > > Upgrade 1 Package > > > > Total download size: 9.8 M > > Is this ok [y/N]: y > > Downloading Packages: > > rhc-0.2.4-0.2.git.a67ca4e.el8.x86_64.rpm 315 kB/s | 9.8 > MB 00:31 > > ----------------------------------------------------------------------------- > ----------------- > > Total 315 kB/s | 9.8 > MB 00:31 > > Running transaction check > > Transaction check succeeded. > > Running transaction test > > Transaction test succeeded. > > Running transaction > > Preparing : > 1/1 > > Running scriptlet: rhc-1:0.2.4-0.2.git.a67ca4e.el8.x86_64 > 1/1 > > Upgrading : rhc-1:0.2.4-0.2.git.a67ca4e.el8.x86_64 > 1/2 > > warning: /etc/rhc/config.toml created as /etc/rhc/config.toml.rpmnew > > > > Cleanup : rhc-1:0.2.2-1.el8.x86_64 > 2/2 > > Running scriptlet: rhc-1:0.2.2-1.el8.x86_64 > 2/2 > > Verifying : rhc-1:0.2.4-0.2.git.a67ca4e.el8.x86_64 > 1/2 > > Verifying : rhc-1:0.2.2-1.el8.x86_64 > 2/2 > > Installed products updated. > > > > Upgraded: > > rhc-1:0.2.4-0.2.git.a67ca4e.el8.x86_64 > > > > > Complete! > > > > [root@dell-per740-68-vm-05 yum.repos.d]# rpm -qa | grep rhc > > rhc-0.2.4-0.2.git.a67ca4e.el8.x86_64 > > > 3. Try the steps in the first comment: > > [root@dell-per740-68-vm-05 ~]# subscription-manager config > --server.hostname=subscription.rhsm.stage.redhat.com > > [root@dell-per740-68-vm-05 ~]# subscription-manager register > > Registering to: subscription.rhsm.stage.redhat.com:443/subscription > > Username: insights-qa > > Password: > > The system has been registered with ID: a2435307-546a-4b5b-9d49-d1ad166c3f52 > > The registered system name is: dell-per740-68-vm-05.lab.eng.pek2.redhat.com > > [root@dell-per740-68-vm-05 ~]# dnf -y update > > Updating Subscription Management repositories. > > Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) > 4.7 MB/s | 10 MB 00:02 > > Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs) > 2.6 MB/s | 3.8 MB 00:01 > > Dependencies resolved. > > Nothing to do. > > Complete! > > > > [root@dell-per740-68-vm-05 ~]# dnf -y install rhc-worker-playbook > > > > > [root@dell-per740-68-vm-05 ~]# cat /etc/rhc/config.toml > # yggdrasil global configuration settings > > broker = ["wss://connect.cloud.stage.redhat.com:443"] > data-host = "cert.cloud.stage.redhat.com" > log-level = "debug" # optional > > cert-file = "/etc/pki/consumer/cert.pem" > key-file = "/etc/pki/consumer/key.pem" > > > [root@dell-per740-68-vm-05 ~]# systemctl cat rhcd.service > # /usr/lib/systemd/system/rhcd.service > [Unit] > Description=rhc daemon > Documentation=https://github.com/redhatinsights/yggdrasil > After=network-online.target > Requires=network-online.target > > [Service] > Type=simple > ExecStart=/usr/sbin/rhcd > > [Install] > WantedBy=multi-user.target > > # /etc/systemd/system/rhcd.service.d/override.conf > [Service] > Environment="HTTP_PROXY=http://squid.corp.redhat.com:3128" > Environment="HTTPS_PROXY=http://squid.corp.redhat.com:3128" > > > > [root@dell-per740-68-vm-05 ~]# cat /etc/insights-client/insights-client.conf > | grep proxy > > # URL for your proxy. Example: http://user:pass@192.168.100.50:8080 > proxy=http://squid.corp.redhat.com:3128 > > [root@dell-per740-68-vm-05 ~]# > > > > [root@dell-per740-68-vm-05 ~]# rhc connect > > Connecting dell-per740-68-vm-05.lab.eng.pek2.redhat.com to Red Hat. > > This might take a few seconds. > > > > ● This system is already connected to Red Hat Subscription Management > > ● Connected to Red Hat Insights > > ● Activated the rhc daemon > > > > Successfully connected to Red Hat! > > > > Manage your connected systems: https://red.ht/connector > > > > STEP DURATION > > rhsm 3ms > > insights 46.44s > > rhc 10ms > > > > The following errors were encountered during connect: > > > > STEP ERROR > > rhc Cannot get the user profile: Get > "https://subscription.rhsm.stage.redhat.com/redhat_access/r/insights/ > platform/config-manager/v2/profiles/current": tls: failed to verify > certificate: x509: certificate signed by unknown authority > > > So set the bug verified: FailedQA Confirmed that base_url should be set to workaround the 'x509: certificate signed by unknown authority' issue, and the system profile gathering should only works with the new API console.stage.redhat.com and with the endpoint that starts with api/ So pre-verification again: [root@dell-per740-68-vm-05 ~]# rpm -qa | grep rhc rhc-worker-playbook-0.1.8-5.el8.x86_64 rhc-0.2.4-0.2.git.a67ca4e.el8.x86_64 [root@dell-per740-68-vm-05 ~]# cat /etc/insights-client/insights-client.conf | egrep "proxy|base_url" base_url=cert.console.stage.redhat.com proxy=http://squid.corp.redhat.com:3128 [root@dell-per740-68-vm-05 ~]# cat /etc/rhc/config.toml # yggdrasil global configuration settings broker = ["wss://connect.cloud.stage.redhat.com:443"] data-host = "cert.cloud.stage.redhat.com" log-level = "debug" # optional cert-file = "/etc/pki/consumer/cert.pem" key-file = "/etc/pki/consumer/key.pem" [root@dell-per740-68-vm-05 ~]# systemctl cat rhcd.service # /usr/lib/systemd/system/rhcd.service [Unit] Description=rhc daemon Documentation=https://github.com/redhatinsights/yggdrasil After=network-online.target Requires=network-online.target [Service] Type=simple ExecStart=/usr/sbin/rhcd [Install] WantedBy=multi-user.target # /etc/systemd/system/rhcd.service.d/override.conf [Service] Environment="HTTP_PROXY=http://squid.corp.redhat.com:3128" Environment="HTTPS_PROXY=http://squid.corp.redhat.com:3128" [root@dell-per740-68-vm-05 ~]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: insights-qa Password: The system has been registered with ID: f1850d19-3829-41db-8ecd-ae62d9303c9c The registered system name is: dell-per740-68-vm-05.lab.eng.pek2.redhat.com [root@dell-per740-68-vm-05 ~]# rhc connect Connecting dell-per740-68-vm-05.lab.eng.pek2.redhat.com to Red Hat. This might take a few seconds. ● This system is already connected to Red Hat Subscription Management ● Connected to Red Hat Insights ● Activated the rhc daemon ● Enabled console.redhat.com services: remediations, compliance, remote configuration, insights Successfully connected to Red Hat! Manage your connected systems: https://red.ht/connector STEP DURATION rhsm 5ms insights 49.157s rhc 20ms [root@dell-per740-68-vm-05 ~]# Set the bug verified:tested rhc version:
[root@kvm-02-guest04 ~]# rpm -qa | grep rhc
rhc-0.2.4-1.el8.x86_64
[root@kvm-02-guest04 ~]# rpm -qa | grep insights-client
insights-client-3.2.0-2.el8.noarch
[root@kvm-02-guest04 ~]# subscription-manager config --server.hostname=subscription.rhsm.stage.redhat.com
[root@kvm-02-guest04 ~]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password:
The system has been registered with ID: a47124b9-bc27-471e-8760-b3c6169e1c12
The registered system name is: kvm-02-guest04.rhts.eng.brq.redhat.com
[root@kvm-02-guest04 ~]# subscription-manager repos --list-enabled
+----------------------------------------------------------+
Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID: rhel-8-for-x86_64-appstream-beta-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs)
Repo URL: https://cdn.redhat.com/content/beta/rhel8/8/x86_64/appstream/os
Enabled: 1
Repo ID: rhel-8-for-x86_64-baseos-beta-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs)
Repo URL: https://cdn.redhat.com/content/beta/rhel8/8/x86_64/baseos/os
Enabled: 1
[root@kvm-02-guest04 ~]# dnf -y update
[root@kvm-02-guest04 ~]# dnf -y install rhc-worker-playbook
Updating Subscription Management repositories.
Last metadata expiration check: 0:00:51 ago on Mon 21 Aug 2023 03:30:08 PM CEST.
Dependencies resolved.
======================================================================================
Package Arch Version Repository Size
======================================================================================
Installing:
rhc-worker-playbook x86_64 0.1.8-5.el8 beaker-AppStream 10 M
...
Installed:
ansible-core-2.15.2-1.el8.x86_64
git-core-2.39.3-1.el8_8.x86_64
mpdecimal-2.5.1-3.el8.x86_64
python3.11-3.11.4-4.el8.x86_64
python3.11-cffi-1.15.1-1.el8.x86_64
python3.11-cryptography-37.0.2-5.el8.x86_64
python3.11-libs-3.11.4-4.el8.x86_64
python3.11-pip-wheel-22.3.1-4.el8.noarch
python3.11-ply-3.11-1.el8.noarch
python3.11-pycparser-2.20-1.el8.noarch
python3.11-pyyaml-6.0-1.el8.x86_64
python3.11-setuptools-wheel-65.5.1-2.el8.noarch
rhc-worker-playbook-0.1.8-5.el8.x86_64
sshpass-1.09-4.el8.x86_64
Complete!
[root@kvm-02-guest04 ~]# cat /etc/rhc/config.toml
# rhc global configuration settings
broker = ["wss://connect.cloud.stage.redhat.com:443"]
data-host = "cert.cloud.stage.redhat.com"
log-level = "debug" # optional
cert-file = "/etc/pki/consumer/cert.pem"
key-file = "/etc/pki/consumer/key.pem"
[root@kvm-02-guest04 ~]# cat /etc/insights-client/insights-client.conf | egrep 'proxy=|base_url'
base_url=cert.console.stage.redhat.com
proxy=http://squid.corp.redhat.com:3128
[root@kvm-02-guest04 ~]# rhc connect
Connecting kvm-02-guest04.rhts.eng.brq.redhat.com to Red Hat.
This might take a few seconds.
Username: zpetracek
Password:
● Connected to Red Hat Subscription Management
● Connected to Red Hat Insights
● Activated the Remote Host Configuration daemon
● Enabled console.redhat.com services: remote configuration, insights, remediations, compliance
Successfully connected to Red Hat!
Manage your connected systems: https://red.ht/connector
STEP DURATION
rhsm 15.558s
insights 53.078s
Remote Host Configuration 165ms
^^ no error occured during connecting through rhc, therefore verification PASSED
[root@kvm-02-guest04 ~]# echo $?
0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: rhc security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:7058 |
Description of problem: `rhc connect` will fail to contact Insights config-manager when the host is configured with console.stage.redhat.com. Version-Release number of selected component (if applicable): ```console # (. /etc/os-release && echo "${NAME} ${VERSION}") Red Hat Enterprise Linux 8.8 (Ootpa) # rpm -q rhc insights-client rhc-0.2.2-1.el8.x86_64 insights-client-3.1.7-12.el8.noarch ``` How reproducible: 100% Steps to Reproduce: Provision a RHEL 8.8 VM (8.7 should also suffice) and execute the following: ```bash subscription-manager config --server.hostname=subscription.rhsm.stage.redhat.com subscription-manager register subscription-manager repos --list-enabled dnf -y update dnf -y install rhc-worker-playbook # see below vi /etc/rhc/config.toml systemctl edit rhcd.service vi /etc/insights-client/insights-client.conf rhc connect ``` /etc/rhc/config.toml: ``` broker = ["wss://connect.cloud.stage.redhat.com:443"] data-host = "cert.cloud.stage.redhat.com" log-level = "debug" # optional cert-file = "/etc/pki/consumer/cert.pem" key-file = "/etc/pki/consumer/key.pem" ``` systemctl edit rhcd.service: ``` [Service] Environment="HTTP_PROXY=http://squid.corp.redhat.com:3128" Environment="HTTPS_PROXY=http://squid.corp.redhat.com:3128" ``` /etc/insights-client/insights-client.conf: ``` [insights-client] proxy=http://squid.corp.redhat.com:3128 ``` Actual results: RHC fails to contact config-manager. ``` # rhc connect Connecting rhel8-0.rhc.home.arpa to Red Hat. This might take a few seconds. Username: insights-qa Password: ● Connected to Red Hat Subscription Management ● Connected to Red Hat Insights ● Activated the Remote Host Configuration daemon Successfully connected to Red Hat! Manage your connected systems: https://red.ht/connector STEP DURATION rhsm 8.288s insights 24.229s Remote Host Configuration 6ms The following errors were encountered during connect: STEP ERROR Remote Host Configuration Cannot get the user profile: cannot get system profile: 403 Forbidden ``` Expected results: RHC contacts config-manager. Additional info: This issue also exhibits if any of the following are set in `/etc/insights-client/insights-client.conf`: ``` base_url=cert-api.access.stage.redhat.com:443/r/insights base_url=cert-api.access.stage.redhat.com/r/insights base_url=cert-api.access.stage.redhat.com/api base_url=cert-api.access.stage.redhat.com base_url=cert.console.stage.redhat.com ```