1708948 – OSPP profile on install gives "Failed to synchronize cache for repo" errors on attempted dnf upgrade on freshly-subscribed install

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1708948 - OSPP profile on install gives "Failed to synchronize cache for repo" errors on attempted dnf upgrade on freshly-subscribed install

Summary: OSPP profile on install gives "Failed to synchronize cache for repo" errors o...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	rc
Target Release:	8.0
Assignee:	candlepin-bugs
QA Contact:	Red Hat subscription-manager QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1825061
TreeView+	depends on / blocked

Reported:	2019-05-11 22:09 UTC by Japheth Cleaver
Modified:	2020-11-04 01:39 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 01:38:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	cdonnell: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4460	0	None	None	None	2020-11-04 01:38:57 UTC

Description Japheth Cleaver 2019-05-11 22:09:46 UTC

Description of problem:
Selecting profile = xccdf_org.ssgproject.content_profile_ospp during RHEL8 on a system attached (properly, as far as I can tell) to a RedHat Developer Subscription results in upgrades failing with repo cache errors.

Reinstalling with no security profile selected allows it to work without issue.

Version-Release number of selected component (if applicable):
subscription-manager-1.23.8-35.el8.x86_64 from RHEL8 release DVD ISO

How reproducible:

Steps to Reproduce:
1. Perform RHEL8 install using OSPP security profile
2. Register system to RH account, under "Red Hat Developer Subscription" pool
3. dnf upgrade

Actual results:

[root@rhel8-x86-64 ~]# subscription-manager status
+-------------------------------------------+
System Status Details
+-------------------------------------------+
Overall Status: Current

System Purpose Status: Matched

[root@rhel8-x86-64 ~]# dnf upgrade
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) 0.0 B/s | 0 B 00:01
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs) 0.0 B/s | 0 B 00:01
Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms', ignoring this repo.
Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-rpms', ignoring this repo.
Dependencies resolved.
Nothing to do.
Complete!

Additional info:
DNF log shows below, despite endpoint being reachable, no proxies in the way, and the local certificate apparently being correct.

2019-05-11T21:30:57Z DEBUG repo: downloading from remote: rhel-8-for-x86_64-appstream-rpms
2019-05-11T21:30:58Z DEBUG Cannot download 'https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried.
2019-05-11T21:30:58Z DEBUG repo: downloading from remote: rhel-8-for-x86_64-baseos-rpms
2019-05-11T21:30:59Z DEBUG Cannot download 'https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried.
2019-05-11T21:30:59Z WARNING Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms', ignoring this repo.
2019-05-11T21:30:59Z WARNING Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-rpms', ignoring this repo.

Comment 1 Japheth Cleaver 2019-05-11 22:11:37 UTC

I'm not certain if this is an OpenSCAP bug or not, but this seems like it should have been a blocker as updates won't work on the system.

Comment 6 Japheth Cleaver 2019-05-13 21:52:15 UTC

Per https://access.redhat.com/discussions/4117121#comment-1520091 this is indeed an OSPP problem. 
PCI profile reportedly works successfully.

Comment 7 Craig Donnelly 2019-05-14 20:43:49 UTC

Hello Japheth,

We have done some testing around this, and it seems that the issue is related to ciphers that are used with our CDN and the crypto policies that are enacted on the system when this security profile is installed.

With that said, I was able to "work around" this by changing the crypto policy after logging into the system. The problem with this approach is that the system will no longer be FIPS compliant at that point.

You can temporarily gain access to the CDN by changing the crypto policy as such:

  # update-crypto-policies --set DEFAULT

It will warn you about making this change.

You can return to the policy that complies with the security profile with:

  # update-crypto-policies --set FIPS

We are working on resolving the issue and will let you know when we have some more to offer.

Thanks!

Comment 8 Craig Donnelly 2019-05-14 20:45:32 UTC

Additional Note:

It is important to remember that when changing to the DEFAULT crypto policy, with the other changes in place that OSPP makes - you will be unable to SSH into the system.
You must change the crypto policy back to DEFAULT before logging out, or you will need console access to get back in. This makes this a less-than-ideal work-around.

Comment 13 Craig Donnelly 2019-05-20 16:04:32 UTC

VERIFIED against a FIPS enabled OSPP RHEL 8 GA system:

[root@dhcp-8-29-250 ~]# rpm -q subscription-manager
subscription-manager-1.23.8-35.el8.x86_64

[root@dhcp-8-29-250 ~]# subscription-manager config | grep cdn
   baseurl = [https://cdn.redhat.com]

[root@dhcp-8-29-250 ~]# update-crypto-policies --show
FIPS

[root@dhcp-8-29-250 ~]# yum clean all
Updating Subscription Management repositories.
16 files removed

[root@dhcp-8-29-250 ~]# yum repolist -v
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, needs-restarting, playground, product-id, repoclosure, repodiff, repograph, repomanage, reposync, subscription-manager, uploadprofile
Updating Subscription Management repositories.
DNF version: 4.0.9
cachedir: /var/cache/dnf
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 1 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 1 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: ui_repoid_vars = releasever in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
Unknown configuration option: enable_metadata = 0 in /etc/yum.repos.d/redhat.repo
repo: downloading from remote: rhel-8-for-x86_64-appstream-rpms
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                             2.3 MB/s | 7.0 MB     00:03    
not found other for: Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)
not found deltainfo for: Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)
rhel-8-for-x86_64-appstream-rpms: using metadata from Tue 14 May 2019 02:08:12 PM EDT.
repo: downloading from remote: rhel-8-for-x86_64-baseos-rpms
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                948 kB/s | 3.7 MB     00:04    
not found other for: Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
not found modules for: Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
not found deltainfo for: Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
rhel-8-for-x86_64-baseos-rpms: using metadata from Tue 14 May 2019 02:08:03 PM EDT.
Last metadata expiration check: 0:00:01 ago on Mon 20 May 2019 12:02:49 PM EDT.
Completion plugin: Generating completion cache...

Repo-id      : rhel-8-for-x86_64-appstream-rpms
Repo-name    : Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)
Repo-revision: 1557857292
Repo-updated : Tue 14 May 2019 02:08:12 PM EDT
Repo-pkgs    : 5,045
Repo-size    : 5.7 G
Repo-baseurl : https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os
Repo-expire  : 86,400 second(s) (last: Mon 20 May 2019 12:02:43 PM EDT)
Repo-filename: /etc/yum.repos.d/redhat.repo

Repo-id      : rhel-8-for-x86_64-baseos-rpms
Repo-name    : Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
Repo-revision: 1557857283
Repo-updated : Tue 14 May 2019 02:08:03 PM EDT
Repo-pkgs    : 1,963
Repo-size    : 1.2 G
Repo-baseurl : https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os
Repo-expire  : 86,400 second(s) (last: Mon 20 May 2019 12:02:49 PM EDT)
Repo-filename: /etc/yum.repos.d/redhat.repo
Total packages: 7,008

[root@dhcp-8-29-250 ~]# yum install zsh -y
Updating Subscription Management repositories.
Last metadata expiration check: 0:00:16 ago on Mon 20 May 2019 12:02:49 PM EDT.
Dependencies resolved.
=====================================================================================================================
 Package           Arch                 Version                    Repository                                   Size
=====================================================================================================================
Installing:
 zsh               x86_64               5.5.1-6.el8                rhel-8-for-x86_64-baseos-rpms               2.9 M

Transaction Summary
=====================================================================================================================
Install  1 Package

Total download size: 2.9 M
Installed size: 6.9 M
Downloading Packages:
zsh-5.5.1-6.el8.x86_64.rpm                                                           5.7 MB/s | 2.9 MB     00:00    
---------------------------------------------------------------------------------------------------------------------
Total                                                                                5.7 MB/s | 2.9 MB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                             1/1 
  Installing       : zsh-5.5.1-6.el8.x86_64                                                                      1/1 
  Running scriptlet: zsh-5.5.1-6.el8.x86_64                                                                      1/1 
  Verifying        : zsh-5.5.1-6.el8.x86_64                                                                      1/1 
Installed products updated.

Installed:
  zsh-5.5.1-6.el8.x86_64                                                                                             

Complete!

Comment 24 errata-xmlrpc 2020-11-04 01:38:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4460

Note You need to log in before you can comment on or make changes to this bug.