Bug 1360909 – Clients unable to access newly released content (Satellite 6.2 GA)

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1360909 - Clients unable to access newly released content (Satellite 6.2 GA)

Summary:	Clients unable to access newly released content (Satellite 6.2 GA)

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	subscription-manager (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	beta
Target Release:	7.3
Assigned To:	candlepin-bugs
QA Contact:	John Sefler
Docs Contact:

URL:
Whiteboard:
Keywords:	Reopened

Depends On:
Blocks:	CEE_Sat6_Top_BZs/GSS_Sat6_Top_Bugs
	Show dependency tree / graph

Reported:	2016-07-27 15:45 EDT by Mike McCune
Modified:	2018-03-05 08:14 EST (History)
CC List:	25 users (show)

See Also:	1366301 1440001
Fixed In Version:	subscription-manager-1.17-10-1
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Clones:	1373633 (view as bug list)
Environment:
Last Closed:	2016-11-03 16:30:04 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2472261	None	None	None	2016-10-26 14:20 EDT
Github	candlepin/subscription-manager/pull/1459	None	None	None	2016-08-08 15:56 EDT
Red Hat Product Errata	RHSA-2016:2592	normal	SHIPPED_LIVE	Moderate: subscription-manager security, bug fix, and enhancement update	2016-11-03 08:10:42 EDT

Groups: None (edit)

Description Mike McCune 2016-07-27 15:45:44 EDT

Satellite 6.2 GA-ed today and users are unable to access the newly released 6.2 repositories that are part of their subscription:

 rhel-6-server-satellite-6.2-rpms 
 rhel-7-server-satellite-6.2-rpms 

Attempts to enable these repositories are met with errors that the repository does not exist:

# subscription-manager repos --enable rhel-7-server-satellite-6.2-rpms
Error: rhel-7-server-satellite-6.2-rpms is not a valid repository ID. Use --list option to see valid repositories.

attempts to run 'subscription-manager refresh' do not resolve the issue. The only work around is to completely un-register and re-register the system to get access to the newly released content:

WORKAROUND:

# subscription-manager identity (make note of the system id value)
# subscription-manager clean
# subscription-manager register --consumerid=<SYSTEM_IDENTITY>
# subscription-manager remove --all
# subscription-manager attach --pool=<SATELLITE_SUB_POOL> 
# subscription-manager repos --enable rhel-6-server-satellite-6.2-rpms

Comment 1 Barnaby Court 2016-07-27 16:12:37 EDT

This appears to be an issue where a product is refreshed and if only a content set is changed the entitlement for a consumer is not marked as dirty. If I manually force certificate regeneration for the consumer with the rest API it fixes the problem.

curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem  -k -X PUT https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/certificates

Comment 2 Rich Jerrido 2016-07-27 16:21:57 EDT

(In reply to Barnaby Court from comment #1)
> This appears to be an issue where a product is refreshed and if only a
> content set is changed the entitlement for a consumer is not marked as
> dirty. If I manually force certificate regeneration for the consumer with
> the rest API it fixes the problem.
> 
> curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem 
> -k -X PUT
> https://subscription.rhn.redhat.com/subscription/consumers/<consumer_id>/
> certificates

Note, the above is meant to be run on the Satellite in question. And the consumer_id is provided via 'subscription-manager identity' 

An directly pasteable command is 

CONSUMERID=$(subscription-manager identity | head -1 | cut -f 2 -d ":")
curl -s --cert /etc/pki/consumer/cert.pem  --key /etc/pki/consumer/key.pem  -k -X PUT "https://subscription.rhn.redhat.com/subscription/consumers/$CONSUMERID/certificates"

Comment 5 Julio Entrena Perez 2016-07-28 04:55:35 EDT

Customer is reporting that after applying the above steps:

- they now have access to rhel-7-server-satellite-6.2-rpms

but

- they do not have access to the capsule or tools repos for 6.2:

2016-07-28 09:40:29 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.2/os/repodata

2016-07-28 09:47:24 [E] CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.2/os/repodata/repomd.xml (Katello::Errors::SecurityViolation)

Is this also related with this issue or is it a different problem?

Comment 6 Mike McCune 2016-07-28 13:11:12 EDT

The above is a different issue. This KCS here appears to resolve the issue:

https://access.redhat.com/solutions/1582083

Comment 11 Bryan Kearney 2016-08-02 17:56:30 EDT

We have modified some data in the customer portal which should refresh this issue. If you are using subscription-manager please execute the following:

subscription-manager refresh

If you are using Satellite 6, please go to 

Content -> Red Hat Subscriptions -> Manage Manifest 

and click the "Refresh Manifest" button

The data should now be available.

I will leave this bug open until I get customer feedback that it is fixed.

Comment 13 Chris "Ceiu" Rog 2016-08-08 15:53:33 EDT

As an additional workaround/solution to the problem, subscription manager has been updated accordingly:


commit 0a2f90c86f4d7a6aec88a6fe3d3e91bbff6b2e8f
Author: Chris Rog <crog@redhat.com>
Date:   Fri Jul 29 12:21:22 2016 -0400

    1360909: The refresh command now requests entitlement cert regeneration
    
    - When the refresh command is issued on the CLI, subman will request
      entitlement certificate regeneration (lazily) for the active consumer

Comment 17 Rehana 2016-08-10 09:46:41 EDT

based on the verification step in comment 16 , moving the bug to verified

Comment 27 Mike McCune 2016-08-22 12:32:23 EDT

re-opening this as it appears to be re-occurring

Comment 31 Barnaby Court 2016-09-06 16:38:52 EDT

Moving back to on_qa as the fix in sub-man 1.17 has been taken care of and verified in test environments. I cloned to it-pnt for the portal fix to open the firewall rules to enable the updates here to work. This should be moved back to verified & released

Comment 32 John Sefler 2016-09-06 17:16:51 EDT

Moving back to VERIFIED per the testing in comment 16 used to verify the developer's fix in comment 13.  Note that this verification applies to the subscription-manager component changes only.  Additional changes are needed server-side (by IT-Candlepin) so that a subscription-manager refresh will pick up the newly released content from the entitlement server.  Per comment 31, the server-side work is now being tracked in cloned bug 1373633 where all of the external trackers have been copied to.

Comment 34 errata-xmlrpc 2016-11-03 16:30:04 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2592.html

Note You need to log in before you can comment on or make changes to this bug.

ahuchcha
bcourt
bkearney
crog
dmoessne
fcami
ggatward
hajek
it-eng-bz
jentrena
jmatthew
kdixon
ktordeur
mmello
nshaik
pmutha
redakkan
risantam
rjerrido
skallesh
sreber
tcarlin
timoran
vrjain
xdmoon