Bug 908026

Summary: Feed certs from new manifest are never updated in pulp
Product: Red Hat Satellite Reporter: Justin Sherrill <jsherril>
Component: Content ManagementAssignee: Justin Sherrill <jsherril>
Status: CLOSED CURRENTRELEASE QA Contact: Garik Khachikyan <gkhachik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: bbuckingham, gkhachik, hhovsepy, mkoci, mmccune, omaciel
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-24 17:07:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 971445    
Bug Blocks:    

Description Justin Sherrill 2013-02-05 17:03:47 UTC 
Description of problem:
The feed certs for our repositories imported from a manifest are never updated, even when a new manifest is imported.  Thus the certificates from the first ever imported manifest within an org are always used.  

We need to simply update the Repository object with the new feed and cert from the product when importing a new manifest.


Version-Release number of selected component (if applicable):
CFSE 1.0, 1.1   Katello ALL

How reproducible:
Always

Steps to Reproduce:
1.  Create a distributor within the support portal and download manifest
2.  Import the manifest
3.  From support portal, delete all subscriptions for that distributor
4.  Add same subscriptions back
5.  Download and import new manifest into the same org
  
Actual results:
Certificates in /etc/pki/pulp/content/  should have been updated from the new manifest.

Expected results:
Certificates in /etc/pki/pulp/content/ are left over from initial manifest

Additional info:
This was originally found when someone imported a manifest from ~a year ago and could not sync content even after importing a new manifest.  All the certs in /etc/pki/pulp/content/  were expired because they were from the year old manifest.  (Expiration time on certs by default from customer portal is 1 year)
Comment 3 Justin Sherrill 2013-05-23 13:28:40 UTC 
https://github.com/Katello/katello/pull/2354
Comment 5 Sam Kottler 2013-05-23 23:41:11 UTC 
Moving to ON_QA for drop 2.
Comment 7 Justin Sherrill 2013-06-06 13:33:07 UTC 
In the original description I believe i misunderstood where the certs were stored.  They are actually stored within the mongodb.  

The easiest way to look them:

# mongo
> use pulp_database

list the repoids:
> db.repos.find({}, {'id':1})


print the private key for the correct repo id:
> db.repo_importers.find({'repo_id':'ACME_Corporation-Red_Hat_Enterprise_Linux_Server-Red_Hat_Enterprise_Linux_6_Server_RPMs_x86_64_6Server'})[0]['config']['ssl_client_key']
Comment 8 Garik Khachikyan 2013-06-06 13:39:51 UTC 
as well as under:
/var/lib/pulp/working/repos/AwesomeOrg-Red_Hat_Enterprise_Linux_Server-Red_Hat_Enterprise_Linux_6_Server_RPMs_x86_64_6_4/importers/yum_importer

---
they are: ssl_ca_cert; ssl_client_cert; ssl_client_key
Comment 9 Garik Khachikyan 2013-06-18 14:06:08 UTC 
requesting sat-6.0.2 as the blocker one is decided to have fixed on sat-6.0.2

it is not a real blocker as worst case the org can be removed and the same scenario could be repeated with the new manifest :)
Comment 10 Og Maciel 2013-06-18 19:12:24 UTC 
As per comment #9 and chat with DEV, removing 6.0.1 flag.
Comment 11 Mike McCune 2013-08-16 17:52:31 UTC 
getting rid of 6.0.0 version since that doesn't exist
Comment 12 Garik Khachikyan 2013-10-09 14:24:48 UTC 
# VERIFIED

performing all the steps in comment#0 i was able to see the certificate info updated: ssl_client_cert

considering the issue fixed at:
---
candlepin-0.8.25-1.el6sam.noarch
candlepin-scl-1-5.el6_4.noarch
candlepin-scl-quartz-2.1.5-5.el6_4.noarch
candlepin-scl-rhino-1.7R3-1.el6_4.noarch
candlepin-scl-runtime-1-5.el6_4.noarch
candlepin-selinux-0.8.25-1.el6sam.noarch
candlepin-tomcat6-0.8.25-1.el6sam.noarch
createrepo-0.9.9-21.2.pulp.el6sat.noarch
elasticsearch-0.19.9-8.el6sat.noarch
katello-1.4.6-21.el6sat.noarch
katello-all-1.4.6-21.el6sat.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-certs-tools-1.4.4-1.el6sat.noarch
katello-cli-1.4.3-18.el6sat.noarch
katello-cli-common-1.4.3-18.el6sat.noarch
katello-common-1.4.6-21.el6sat.noarch
katello-configure-1.4.5-9.el6sat.noarch
katello-configure-foreman-1.4.5-9.el6sat.noarch
katello-configure-foreman-proxy-1.4.5-9.el6sat.noarch
katello-foreman-all-1.4.6-21.el6sat.noarch
katello-glue-candlepin-1.4.6-21.el6sat.noarch
katello-glue-elasticsearch-1.4.6-21.el6sat.noarch
katello-glue-pulp-1.4.6-21.el6sat.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-selinux-1.4.4-4.el6sat.noarch
m2crypto-0.21.1.pulp-8.el6sat.x86_64
mod_wsgi-3.4-1.pulp.el6sat.x86_64
pulp-katello-plugins-0.2-1.el6sat.noarch
pulp-nodes-common-2.3.0-0.17.beta.el6sat.noarch
pulp-nodes-parent-2.3.0-0.17.beta.el6sat.noarch
pulp-puppet-plugins-2.3.0-0.17.beta.el6sat.noarch
pulp-rpm-plugins-2.3.0-0.17.beta.el6sat.noarch
pulp-selinux-2.3.0-0.17.beta.el6sat.noarch
pulp-server-2.3.0-0.17.beta.el6sat.noarch
python-isodate-0.5.0-1.pulp.el6sat.noarch
python-oauth2-1.5.170-3.pulp.el6sat.noarch
python-pulp-bindings-2.3.0-0.17.beta.el6sat.noarch
python-pulp-common-2.3.0-0.17.beta.el6sat.noarch
python-pulp-puppet-common-2.3.0-0.17.beta.el6sat.noarch
python-pulp-rpm-common-2.3.0-0.17.beta.el6sat.noarch
python-qpid-0.18-5.el6_4.noarch
qpid-cpp-client-0.14-22.el6_3.x86_64
qpid-cpp-client-ssl-0.14-22.el6_3.x86_64
qpid-cpp-server-0.14-22.el6_3.x86_64
qpid-cpp-server-ssl-0.14-22.el6_3.x86_64
ruby193-rubygem-foreman-katello-engine-0.0.14-4.el6sat.noarch
ruby193-rubygem-katello-foreman-engine-0.0.7-2.el6sat.noarch
ruby193-rubygem-katello_api-0.0.3-4.el6sat.noarch
ruby193-rubygem-ldap_fluff-0.2.2-2.el6sat.noarch
signo-katello-0.0.20-3.el6sat.noarch
Comment 13 Bryan Kearney 2014-04-24 17:07:43 UTC 
This was verified and delivered with MDP2. Closing it out.