Bug 1360909 - Clients unable to access newly released content (Satellite 6.2 GA)
Summary: Clients unable to access newly released content (Satellite 6.2 GA)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 7.3
Assignee: candlepin-bugs
QA Contact: John Sefler
URL:
Whiteboard:
Depends On:
Blocks: CEE_Sat6_Top_BZs, GSS_Sat6_Top_Bugs
TreeView+ depends on / blocked
 
Reported: 2016-07-27 19:45 UTC by Mike McCune
Modified: 2020-01-17 15:51 UTC (History)
25 users (show)

Fixed In Version: subscription-manager-1.17-10-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1373633 (view as bug list)
Environment:
Last Closed: 2016-11-03 20:30:04 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Github candlepin subscription-manager pull 1459 'None' closed 1360909: The refresh command now requests entitlement cert regeneration 2020-07-03 03:38:46 UTC
Red Hat Bugzilla 1366301 'high' 'CLOSED' 'subscription-manager refresh causes: Server error attempting a PUT to /subscription/consumers/<UUID>/certificates?lazy_... 2019-11-27 06:06:01 UTC
Red Hat Bugzilla 1440001 'unspecified' 'CLOSED' 'Entitlement certs are deleted and re-generated after running ''subscription-manager refresh'' against Stage candlepin' 2019-11-27 06:06:01 UTC
Red Hat Knowledge Base (Solution) 2472261 None None None 2016-10-26 18:20:57 UTC
Red Hat Product Errata RHSA-2016:2592 normal SHIPPED_LIVE Moderate: subscription-manager security, bug fix, and enhancement update 2016-11-03 12:10:42 UTC

Internal Links: 1366301 1440001

Description Mike McCune 2016-07-27 19:45:44 UTC 
Satellite 6.2 GA-ed today and users are unable to access the newly released 6.2 repositories that are part of their subscription:

 rhel-6-server-satellite-6.2-rpms 
 rhel-7-server-satellite-6.2-rpms 

Attempts to enable these repositories are met with errors that the repository does not exist:

# subscription-manager repos --enable rhel-7-server-satellite-6.2-rpms
Error: rhel-7-server-satellite-6.2-rpms is not a valid repository ID. Use --list option to see valid repositories.

attempts to run 'subscription-manager refresh' do not resolve the issue. The only work around is to completely un-register and re-register the system to get access to the newly released content:

WORKAROUND:

# subscription-manager identity (make note of the system id value)
# subscription-manager clean
# subscription-manager register --consumerid=<SYSTEM_IDENTITY>
# subscription-manager remove --all
# subscription-manager attach --pool=<SATELLITE_SUB_POOL> 
# subscription-manager repos --enable rhel-6-server-satellite-6.2-rpms
Comment 1 Barnaby Court 2016-07-27 20:12:37 UTC 
This appears to be an issue where a product is refreshed and if only a content set is changed the entitlement for a consumer is not marked as dirty. If I manually force certificate regeneration for the consumer with the rest API it fixes the problem.

curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem  -k -X PUT https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/certificates
Comment 2 Rich Jerrido 2016-07-27 20:21:57 UTC 
(In reply to Barnaby Court from comment #1)
> This appears to be an issue where a product is refreshed and if only a
> content set is changed the entitlement for a consumer is not marked as
> dirty. If I manually force certificate regeneration for the consumer with
> the rest API it fixes the problem.
> 
> curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem 
> -k -X PUT
> https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/
> certificates

Note, the above is meant to be run on the Satellite in question. And the consumer_id is provided via 'subscription-manager identity' 

An directly pasteable command is 

CONSUMERID=$(subscription-manager identity | head -1 | cut -f 2 -d ":")
curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem  -k -X PUT "https://subscription.rhn.redhat.com/subscription/consumers/$CONSUMERID/certificates"
Comment 5 Julio Entrena Perez 2016-07-28 08:55:35 UTC 
Customer is reporting that after applying the above steps:

- they now have access to rhel-7-server-satellite-6.2-rpms

but

- they do not have access to the capsule or tools repos for 6.2:

2016-07-28 09:40:29 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.2/os/repodata

2016-07-28 09:47:24 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.2/os/repodata/repomd.xml (Katello::Errors::SecurityViolation)

Is this also related with this issue or is it a different problem?
Comment 6 Mike McCune 2016-07-28 17:11:12 UTC 
The above is a different issue. This KCS here appears to resolve the issue:

https://access.redhat.com/solutions/1582083
Comment 11 Bryan Kearney 2016-08-02 21:56:30 UTC 
We have modified some data in the customer portal which should refresh this issue. If you are using subscription-manager please execute the following:

subscription-manager refresh

If you are using Satellite 6, please go to 

Content -> Red Hat Subscriptions -> Manage Manifest 

and click the "Refresh Manifest" button

The data should now be available.

I will leave this bug open until I get customer feedback that it is fixed.
Comment 13 Chris "Ceiu" Rog 2016-08-08 19:53:33 UTC 
As an additional workaround/solution to the problem, subscription manager has been updated accordingly:


commit 0a2f90c86f4d7a6aec88a6fe3d3e91bbff6b2e8f
Author: Chris Rog <crog@redhat.com>
Date:   Fri Jul 29 12:21:22 2016 -0400

    1360909: The refresh command now requests entitlement cert regeneration
    
    - When the refresh command is issued on the CLI, subman will request
      entitlement certificate regeneration (lazily) for the active consumer
Comment 17 Rehana 2016-08-10 13:46:41 UTC 
based on the verification step in comment 16 , moving the bug to verified
Comment 27 Mike McCune 2016-08-22 16:32:23 UTC 
re-opening this as it appears to be re-occurring
Comment 31 Barnaby Court 2016-09-06 20:38:52 UTC 
Moving back to on_qa as the fix in sub-man 1.17 has been taken care of and verified in test environments. I cloned to it-pnt for the portal fix to open the firewall rules to enable the updates here to work. This should be moved back to verified & released
Comment 32 John Sefler 2016-09-06 21:16:51 UTC 
Moving back to VERIFIED per the testing in comment 16 used to verify the developer's fix in comment 13.  Note that this verification applies to the subscription-manager component changes only.  Additional changes are needed server-side (by IT-Candlepin) so that a subscription-manager refresh will pick up the newly released content from the entitlement server.  Per comment 31, the server-side work is now being tracked in cloned bug 1373633 where all of the external trackers have been copied to.
Comment 34 errata-xmlrpc 2016-11-03 20:30:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2592.html
Note You need to log in before you can comment on or make changes to this bug.