Satellite 6.2 GA-ed today and users are unable to access the newly released 6.2 repositories that are part of their subscription:
Attempts to enable these repositories are met with errors that the repository does not exist:
# subscription-manager repos --enable rhel-7-server-satellite-6.2-rpms
Error: rhel-7-server-satellite-6.2-rpms is not a valid repository ID. Use --list option to see valid repositories.
attempts to run 'subscription-manager refresh' do not resolve the issue. The only work around is to completely un-register and re-register the system to get access to the newly released content:
# subscription-manager identity (make note of the system id value)
# subscription-manager clean
# subscription-manager register --consumerid=<SYSTEM_IDENTITY>
# subscription-manager remove --all
# subscription-manager attach --pool=<SATELLITE_SUB_POOL>
# subscription-manager repos --enable rhel-6-server-satellite-6.2-rpms
This appears to be an issue where a product is refreshed and if only a content set is changed the entitlement for a consumer is not marked as dirty. If I manually force certificate regeneration for the consumer with the rest API it fixes the problem.
curl -s --cert /etc/pki/consumer/cert.pem --key /etc/pki/consumer/key.pem -k -X PUT https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/certificates
(In reply to Barnaby Court from comment #1)
> This appears to be an issue where a product is refreshed and if only a
> content set is changed the entitlement for a consumer is not marked as
> dirty. If I manually force certificate regeneration for the consumer with
> the rest API it fixes the problem.
> curl -s --cert /etc/pki/consumer/cert.pem --key /etc/pki/consumer/key.pem
> -k -X PUT
Note, the above is meant to be run on the Satellite in question. And the consumer_id is provided via 'subscription-manager identity'
An directly pasteable command is
CONSUMERID=$(subscription-manager identity | head -1 | cut -f 2 -d ":")
curl -s --cert /etc/pki/consumer/cert.pem --key /etc/pki/consumer/key.pem -k -X PUT "https://subscription.rhn.redhat.com/subscription/consumers/$CONSUMERID/certificates"
Customer is reporting that after applying the above steps:
- they now have access to rhel-7-server-satellite-6.2-rpms
- they do not have access to the capsule or tools repos for 6.2:
2016-07-28 09:40:29 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.2/os/repodata
2016-07-28 09:47:24 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.2/os/repodata/repomd.xml (Katello::Errors::SecurityViolation)
Is this also related with this issue or is it a different problem?
The above is a different issue. This KCS here appears to resolve the issue:
We have modified some data in the customer portal which should refresh this issue. If you are using subscription-manager please execute the following:
If you are using Satellite 6, please go to
Content -> Red Hat Subscriptions -> Manage Manifest
and click the "Refresh Manifest" button
The data should now be available.
I will leave this bug open until I get customer feedback that it is fixed.
As an additional workaround/solution to the problem, subscription manager has been updated accordingly:
Author: Chris Rog <firstname.lastname@example.org>
Date: Fri Jul 29 12:21:22 2016 -0400
1360909: The refresh command now requests entitlement cert regeneration
- When the refresh command is issued on the CLI, subman will request
entitlement certificate regeneration (lazily) for the active consumer
based on the verification step in comment 16 , moving the bug to verified
re-opening this as it appears to be re-occurring
Moving back to on_qa as the fix in sub-man 1.17 has been taken care of and verified in test environments. I cloned to it-pnt for the portal fix to open the firewall rules to enable the updates here to work. This should be moved back to verified & released
Moving back to VERIFIED per the testing in comment 16 used to verify the developer's fix in comment 13. Note that this verification applies to the subscription-manager component changes only. Additional changes are needed server-side (by IT-Candlepin) so that a subscription-manager refresh will pick up the newly released content from the entitlement server. Per comment 31, the server-side work is now being tracked in cloned bug 1373633 where all of the external trackers have been copied to.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.