Bug 1360909 - Clients unable to access newly released content (Satellite 6.2 GA)
Summary: Clients unable to access newly released content (Satellite 6.2 GA)
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: beta
: 7.3
Assignee: candlepin-bugs
QA Contact: John Sefler
Keywords: Reopened
Depends On:
Blocks: CEE_Sat6_Top_BZs, GSS_Sat6_Top_Bugs
TreeView+ depends on / blocked
Reported: 2016-07-27 19:45 UTC by Mike McCune
Modified: 2018-03-05 13:14 UTC (History)
25 users (show)

Clone Of:
: 1373633 (view as bug list)
Last Closed: 2016-11-03 20:30:04 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2592 normal SHIPPED_LIVE Moderate: subscription-manager security, bug fix, and enhancement update 2016-11-03 12:10:42 UTC
Github candlepin subscription-manager pull 1459 None None None 2016-08-08 19:56 UTC
Red Hat Bugzilla 1366301 None CLOSED subscription-manager refresh causes: Server error attempting a PUT to /subscription/consumers/<UUID>/certificates?lazy_r... 2019-06-13 15:28 UTC
Red Hat Bugzilla 1440001 None CLOSED Entitlement certs are deleted and re-generated after running 'subscription-manager refresh' against Stage candlepin 2019-06-13 15:28 UTC
Red Hat Knowledge Base (Solution) 2472261 None None None 2016-10-26 18:20 UTC

Internal Trackers: 1366301 1440001

Description Mike McCune 2016-07-27 19:45:44 UTC
Satellite 6.2 GA-ed today and users are unable to access the newly released 6.2 repositories that are part of their subscription:


Attempts to enable these repositories are met with errors that the repository does not exist:

# subscription-manager repos --enable rhel-7-server-satellite-6.2-rpms
Error: rhel-7-server-satellite-6.2-rpms is not a valid repository ID. Use --list option to see valid repositories.

attempts to run 'subscription-manager refresh' do not resolve the issue. The only work around is to completely un-register and re-register the system to get access to the newly released content:


# subscription-manager identity (make note of the system id value)
# subscription-manager clean
# subscription-manager register --consumerid=<SYSTEM_IDENTITY>
# subscription-manager remove --all
# subscription-manager attach --pool=<SATELLITE_SUB_POOL> 
# subscription-manager repos --enable rhel-6-server-satellite-6.2-rpms

Comment 1 Barnaby Court 2016-07-27 20:12:37 UTC
This appears to be an issue where a product is refreshed and if only a content set is changed the entitlement for a consumer is not marked as dirty. If I manually force certificate regeneration for the consumer with the rest API it fixes the problem.

curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem  -k -X PUT https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/certificates

Comment 2 Rich Jerrido 2016-07-27 20:21:57 UTC
(In reply to Barnaby Court from comment #1)
> This appears to be an issue where a product is refreshed and if only a
> content set is changed the entitlement for a consumer is not marked as
> dirty. If I manually force certificate regeneration for the consumer with
> the rest API it fixes the problem.
> curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem 
> -k -X PUT
> https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/
> certificates

Note, the above is meant to be run on the Satellite in question. And the consumer_id is provided via 'subscription-manager identity' 

An directly pasteable command is 

CONSUMERID=$(subscription-manager identity | head -1 | cut -f 2 -d ":")
curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem  -k -X PUT "https://subscription.rhn.redhat.com/subscription/consumers/$CONSUMERID/certificates"

Comment 5 Julio Entrena Perez 2016-07-28 08:55:35 UTC
Customer is reporting that after applying the above steps:

- they now have access to rhel-7-server-satellite-6.2-rpms


- they do not have access to the capsule or tools repos for 6.2:

2016-07-28 09:40:29 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.2/os/repodata

2016-07-28 09:47:24 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.2/os/repodata/repomd.xml (Katello::Errors::SecurityViolation)

Is this also related with this issue or is it a different problem?

Comment 6 Mike McCune 2016-07-28 17:11:12 UTC
The above is a different issue. This KCS here appears to resolve the issue:


Comment 11 Bryan Kearney 2016-08-02 21:56:30 UTC
We have modified some data in the customer portal which should refresh this issue. If you are using subscription-manager please execute the following:

subscription-manager refresh

If you are using Satellite 6, please go to 

Content -> Red Hat Subscriptions -> Manage Manifest 

and click the "Refresh Manifest" button

The data should now be available.

I will leave this bug open until I get customer feedback that it is fixed.

Comment 13 Chris "Ceiu" Rog 2016-08-08 19:53:33 UTC
As an additional workaround/solution to the problem, subscription manager has been updated accordingly:

commit 0a2f90c86f4d7a6aec88a6fe3d3e91bbff6b2e8f
Author: Chris Rog <crog@redhat.com>
Date:   Fri Jul 29 12:21:22 2016 -0400

    1360909: The refresh command now requests entitlement cert regeneration
    - When the refresh command is issued on the CLI, subman will request
      entitlement certificate regeneration (lazily) for the active consumer

Comment 17 Rehana 2016-08-10 13:46:41 UTC
based on the verification step in comment 16 , moving the bug to verified

Comment 27 Mike McCune 2016-08-22 16:32:23 UTC
re-opening this as it appears to be re-occurring

Comment 31 Barnaby Court 2016-09-06 20:38:52 UTC
Moving back to on_qa as the fix in sub-man 1.17 has been taken care of and verified in test environments. I cloned to it-pnt for the portal fix to open the firewall rules to enable the updates here to work. This should be moved back to verified & released

Comment 32 John Sefler 2016-09-06 21:16:51 UTC
Moving back to VERIFIED per the testing in comment 16 used to verify the developer's fix in comment 13.  Note that this verification applies to the subscription-manager component changes only.  Additional changes are needed server-side (by IT-Candlepin) so that a subscription-manager refresh will pick up the newly released content from the entitlement server.  Per comment 31, the server-side work is now being tracked in cloned bug 1373633 where all of the external trackers have been copied to.

Comment 34 errata-xmlrpc 2016-11-03 20:30:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.