Hide Forgot
`redhat-uep.pem` CA certificate moved to a *python-rhsm-certificates* package The `/etc/rhsm/ca/redhat-uep.pem` certificate authority (CA) certificate was previously included in the *python-rhsm* package. This update moves this certificate into a simplified *python-rhsm-certificates* package that provides only the certificate. As a result, container images can now be built only with *python-rhsm-certificates* without all the package dependencies required by *python-rhsm*, specifically the *python* package.
We need the cert in a docker based image, but we do not want the python or more specifically the requires python package. We want to get to the point where we could use a docker image without python being included.
Acking 7.1
(In reply to Daniel Walsh from comment #0) > We need the cert in a docker based image, but we do not want the python or > more specifically the requires python package. > > We want to get to the point where we could use a docker image without python > being included. Which cert?
It has been a while, but we wanted these in a subpackage, I believe. /etc/rhsm /etc/rhsm/ca /etc/rhsm/ca/candlepin-stage.pem /etc/rhsm/ca/redhat-uep.pem
This bz now only applies to /etc/rhsm/ca/redhat-uep.pem , as /etc/rhsm/ca/candlepin-stage.pem is being removed anyways per https://bugzilla.redhat.com/show_bug.cgi?id=1242057
Well it has been two years since we requested this. Aaron do you remember?
The CA /etc/rhsm/ca/redhat-uep.pem is used for securely connecting to CDN to install RPMs inside the running container.
Aaron, The tools used to install the RPMs are all built using python, and require the python-rhsm package in order to properly generate the repo files used to connect to the CDN. Why do you need the files separated out into a new RPM if the other packages would still be required?
I think the initial BZ comment made 2 years ago says it pretty clearly: > We need the cert in a docker based image, but we do not want the python or more specifically the requires python package. > We want to get to the point where we could use a docker image without python being included. Bottom line is if we eliminate all of the python dependencies in the base image we will still want the CA cert to make secure calls to Red Hat. Can we add the rhsm CA certs to redhat-release? I understand we have already done this with product certs. It is also similar to the method used to install the default rpm GPG keys.
We have a use case where we need these certificates on non Red Hat systems so adding them to redhat-release where only RHEL has access would be problematic. The certificate will be packaged with a new rhsm-certificates rpm.
Pull Request: https://github.com/candlepin/python-rhsm/pull/173/commits Commits: 14aecdf15ba841fce1769d38cfecc8b621a565aa
[root@dhcp35-128 ~]# rpm -qa | grep python-rhsm python-rhsm-1.17.5-1.el7.x86_64 python-rhsm-certificates-1.17.5-1.el7.x86_64 python-rhsm is dependent on python-rhsm-certificate: ------------------------------------------------------- [root@dhcp35-128 ~]# yum install python-rhsm-1.17.5-1.el7.x86_64.rpm -y Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Examining python-rhsm-1.17.5-1.el7.x86_64.rpm: python-rhsm-1.17.5-1.el7.x86_64 Marking python-rhsm-1.17.5-1.el7.x86_64.rpm as an update to python-rhsm-1.17.2-1.el7.x86_64 Resolving Dependencies --> Running transaction check ---> Package python-rhsm.x86_64 0:1.17.2-1.el7 will be updated ---> Package python-rhsm.x86_64 0:1.17.5-1.el7 will be an update --> Processing Dependency: python-rhsm-certificates = 1.17.5-1.el7 for package: python-rhsm-1.17.5-1.el7.x86_64 --> Finished Dependency Resolution Error: Package: python-rhsm-1.17.5-1.el7.x86_64 (/python-rhsm-1.17.5-1.el7.x86_64) Requires: python-rhsm-certificates = 1.17.5-1.el7 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest python-rhsm no longer contains /etc/rhsm/ca/redhat-uep.pem: ----------------------------------------------------------------- [root@dhcp35-128 ~]# rpm -ql python-rhsm | grep "/etc/rhsm/ca/" [root@dhcp35-128 ~]# /etc/rhsm/ca/redhat-uep.pem is moved to python-rhsm-certificates: ------------------------------------------------------------------------ [root@dhcp35-128 ~]# rpm -ql python-rhsm-certificates | grep "/etc/rhsm/ca/" /etc/rhsm/ca/redhat-uep.pem No selinux denials while installing: ------------------------------------------------------------- [root@shwetha-workstation ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"` [root@shwetha-workstation ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME} <no matches> [root@shwetha-workstation ~]# yum install python-rhsm-* -y Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager Examining python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64.rpm: python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64 python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64.rpm: does not update installed package. Examining python-rhsm-1.17.4-1.el7.x86_64.rpm: python-rhsm-1.17.4-1.el7.x86_64 python-rhsm-1.17.4-1.el7.x86_64.rpm: does not update installed package. Examining python-rhsm-1.17.5-1.el7.x86_64.rpm: python-rhsm-1.17.5-1.el7.x86_64 Marking python-rhsm-1.17.5-1.el7.x86_64.rpm as an update to python-rhsm-1.17.4-1.el7.x86_64 Examining python-rhsm-certificates-1.17.5-1.el7.x86_64.rpm: python-rhsm-certificates-1.17.5-1.el7.x86_64 Marking python-rhsm-certificates-1.17.5-1.el7.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package python-rhsm.x86_64 0:1.17.4-1.el7 will be updated ---> Package python-rhsm.x86_64 0:1.17.5-1.el7 will be an update ---> Package python-rhsm-certificates.x86_64 0:1.17.5-1.el7 will be installed --> Finished Dependency Resolution https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden Trying other mirror. To address this issue please refer to the below knowledge base article https://access.redhat.com/solutions/69319 If above article doesn't help to resolve this issue please open a ticket with Red Hat Support. https://cdn.redhat.com/foo/path/never/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden Trying other mirror. Dependencies Resolved ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Installing: python-rhsm-certificates x86_64 1.17.5-1.el7 /python-rhsm-certificates-1.17.5-1.el7.x86_64 7.6 k Updating: python-rhsm x86_64 1.17.5-1.el7 /python-rhsm-1.17.5-1.el7.x86_64 341 k Transaction Summary ======================================================================================================================================================================== Install 1 Package Upgrade 1 Package Total size: 348 k Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Warning: RPMDB altered outside of yum. Installing : python-rhsm-certificates-1.17.5-1.el7.x86_64 1/3 Updating : python-rhsm-1.17.5-1.el7.x86_64 2/3 Cleanup : python-rhsm-1.17.4-1.el7.x86_64 3/3 https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden Trying other mirror. https://cdn.redhat.com/foo/path/never/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden Trying other mirror. https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden Trying other mirror. failure: repodata/repomd.xml from admin-content-label: [Errno 256] No more mirrors to try. https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden Verifying : python-rhsm-1.17.5-1.el7.x86_64 1/3 Verifying : python-rhsm-certificates-1.17.5-1.el7.x86_64 2/3 Verifying : python-rhsm-1.17.4-1.el7.x86_64 3/3 Installed: python-rhsm-certificates.x86_64 0:1.17.5-1.el7 Updated: python-rhsm.x86_64 0:1.17.5-1.el7 Complete! [root@shwetha-workstation ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME} <no matches>
Augmenting verification comment 24... The new package python-rhsm-certificates is minimal, provides only one file (redhat-uep.pem), and depends only on rpmlib... [root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates python-rhsm-certificates-1.17.5-1.el7.x86_64 [root@jsefler-rhel7 ~]# rpm -ql python-rhsm-certificates /etc/rhsm /etc/rhsm/ca /etc/rhsm/ca/redhat-uep.pem [root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates --requires rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1 As demonstrated in comment 24, package python-rhsm now depends on python-rhsm-certificates... [root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates --whatrequires python-rhsm-1.17.5-1.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2592.html