Description of problem: Older versions of candlepin generated an uber cert with a 100 year expiration. Upon upgrade to Satellite 6.2, the uber cert is used when capsules sync from the Satellite. If the older 6.1 uber cert is reused, this will cause the following stack trace in /var/log/messages on the Satellite: File "/usr/lib/python2.7/site-packages/pulp/oid_validation/oid_validation.py", line 194, in _check_extensions cert = certificate.create_from_pem(cert_pem) File "/usr/lib64/python2.7/site-packages/rhsm/certificate.py", line 64, in create_from_pem return _CertFactory().create_from_pem(pem) File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 74, in create_from_pem return self._read_x509(_certificate.load(pem=pem), path, pem) File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 100, in _read_x509 raise CertificateException(str(e)) CertificateException: Invalid date Bad time value: Invalid month: Bad Additional info: https://gitlab.com/m2crypto/m2crypto/issues/103
repro steps: * install a satellite and capsule with 6.1.9, register capsule to sat * create a product, create a yum repo, sync yum repo * associate capsule with Library and Default Organization * create a CV, associate product with CV, successfully publish * now, go to the organizations page and generate a debug cert! This will generate the cert and save it in the candlepin DB. Confirm cert has expiration date 100 years from now by dowlnoading, then running: 'openssl x509 -in cert.pem -nooout' This will show the expiration date. * upgrade sat and capsule to 6.2 * attempt a capsule sync result: error from comment #0 expected result: successful sync
comment #2 should be '-noout', I typoed and put an extra 'o' in the original text.
workaround: use sql from https://bugzilla.redhat.com/show_bug.cgi?id=1366798#c5. The easiest way is to just copy/paste all the sql into a file, then become postgres user on the satellite and run "cat <file.sql> | psql candlepin". Expected output is: DELETE 1 DELETE 1 DELETE 1 DELETE 1 DELETE 1 DELETE 1 DELETE 1 This could be a different number, depending on the number of orgs and debug certs. After this, sync should work. No need to restart services.
Created attachment 1191949 [details] certificate reset SQL to re-enable capsule sync
== WORKAROUND == To get your capsules synchronizing again please download the attachment: certificate-reset.sql Instructions are as follows: 1) copy certificate-reset.sql to your Satellite server's /tmp/ directory 2) execute: cat /tmp/certificate-reset.sql | sudo -u postgres psql candlepin 3) re-attempt a capsule synchronization via the hammer cli. An example of me reproducing then resolving this error looks like: # hammer capsule content synchronize --id 2 [..............................................] [100%] Error: RPM1004: Error retrieving metadata: Not found # cat /tmp/certificate-reset.sql | sudo -u postgres psql candlepin could not change directory to "/root" DELETE 1 DELETE 1 DELETE 1 DELETE 1 DELETE 1 DELETE 1 DELETE 1 # hammer capsule content synchronize --id 2 [.............................................] [100%] # echo $? 0
*** This bug has been marked as a duplicate of bug 1354623 ***