Bug 1807151 - capsule sync failed on Docker content DKR1008: Could not find registry API at https://satellite.example:5000 (Katello::Errors::PulpError)
Summary: capsule sync failed on Docker content DKR1008: Could not find registry API a...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.7.0
Hardware: x86_64
OS: Linux
unspecified
high vote
Target Milestone: 6.7.0
Assignee: Eric Helms
QA Contact: Devendra Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-25 17:42 UTC by Ganesh Payelkar
Modified: 2020-04-14 13:38 UTC (History)
4 users (show)

Fixed In Version: foreman-installer-1.24.1.20-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-14 13:38:54 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 29278 0 Normal Closed capsule sync failed on Docker content DKR1008: Could not find registry API at https://satellite.example:5000 (Katello::... 2021-02-15 17:19:06 UTC

Description Ganesh Payelkar 2020-02-25 17:42:25 UTC
Description of problem:

capsule sync failed on Docker content  DKR1008: Could not find registry API at https://satellite.example:5000 (Katello::Errors::PulpError) 


Version-Release number of selected component (if applicable):

satellite-capsule-6.7.0-5.beta.el7sat.noarch
pulp-docker-plugins-3.2.5-1.el7sat.noarch
python-pulp-docker-common-3.2.5-1.el7sat.noarch

How reproducible:
New installation of 6.7 Beta

Steps to Reproduce:
1. Create a product and then create a docker repo for https://registry.access.redhat.com with Docker upstream rhel 

OR 

Create a product and then create a docker repo for https://registry.redhat.io with Docker upstream rhel7.7

2. Sync the repo

3. On satellite it will sync properly, it errored when capsule sync start  


Content Counts
Content Type
Container Image Manifests 	21
Container Image Manifest Lists 	7
Container Image Tags 	        9 

Actual results: 


Feb 25 22:42:44 vm pulp: urllib3.connectionpool:INFO: [65d03eb8] Starting new HTTPS connection (1): satellite.example.com
Feb 25 22:42:44 vm pulp: nectar.downloaders.threaded:ERROR: [65d03eb8] Skipping requests to satellite.example.com:5000 due to repeated connection failures: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:618)
Feb 25 22:42:44 vm pulp: pulp.server.async.tasks:INFO: [65d03eb8] Task failed : [65d03eb8-5234-4bb5-b434-4c5efda9690c] : Could not find registry API at https://satellite.example.com:5000
Feb 25 22:42:44 vm pulp: celery.app.trace:INFO: [65d03eb8] Task pulp.server.managers.repo.sync.sync[65d03eb8-5234-4bb5-b434-4c5efda9690c] raised expected: PulpCodedException()
Feb 25 22:42:44 vm pulp: celery.app.trace:INFO: [2eb39e9f] Task pulp.server.async.tasks._release_resource[2eb39e9f-7bb5-4ff2-b1cc-1bd93c07f800] succeeded in 0.00347492890432s: None



Expected results:


Additional info:

I have custom SSL configured on satellite and capsules.

Comment 8 Justin Sherrill 2020-03-03 16:26:55 UTC
It looks like this change broke this:  https://projects.theforeman.org/issues/28043

We are configuring crane's CA cert to be the server ca, while we're using an uber cert to authenticate against it generated from the default CA.  

Ewoud, thoughts on this?

Comment 9 Ewoud Kohl van Wijngaarden 2020-03-03 16:33:33 UTC
That sounds like a misconfiguration and should be configuring Katello to expect the right certificate. The question is what the right certificate is. As a user it makes a lot more sense to me be presented the server certificate because your docker/podman is more likely to have the server certificate present than the default CA. If I'm wrong, I'll gladly hear it.

Comment 10 Justin Sherrill 2020-03-03 18:18:14 UTC
The main apache server is configured with: 

  SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"

I'd expect crane to be configured similarly ?  Unless you mean that that is also wrong?

Comment 11 Ewoud Kohl van Wijngaarden 2020-03-04 10:17:04 UTC
(In reply to Justin Sherrill from comment #10)
> The main apache server is configured with: 
> 
>   SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
>   SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"
> 
> I'd expect crane to be configured similarly ?  Unless you mean that that is
> also wrong?

This is what I would expect to see for crane as well.

Comment 12 Eric Helms 2020-03-06 13:18:13 UTC
Created redmine issue https://projects.theforeman.org/issues/29278 from this bug

Comment 13 Bryan Kearney 2020-03-06 15:05:56 UTC
Upstream bug assigned to ehelms

Comment 14 Bryan Kearney 2020-03-06 15:05:58 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/29278 has been resolved.

Comment 16 Devendra Singh 2020-03-24 07:53:04 UTC
Verification step:
Satellite Version: 6.7 Snap16

1. Create a product and then create a docker repo for https://registry.access.redhat.com with Docker upstream rhel 
2. Sync the repo, Repository synced completed successfully.
3- Trigger capsule sync and it also completed successfully

# hammer capsule content synchronize --id 2
[..........................................................................................................................................................................................................] [100%]


Mar 24 03:23:22 capsule-upgrade pulp: urllib3.connectionpool:INFO: [e3a341c5] Starting new HTTPS connection (34): satellite.com
Mar 24 03:23:22 capsule-upgrade pulp: nectar.downloaders.threaded:INFO: [e3a341c5] Download succeeded: https://satellite.com:5000/v2/default_organization-dev-test_container_1112-docker_test-docker_repo_test/manifests/7.2-84.
Mar 24 03:23:22 capsule-upgrade pulp: nectar.downloaders.threaded:INFO: [e3a341c5] Download succeeded: https://satellite.com:5000/v2/default_organization-dev-test_container_1112-docker_test-docker_repo_test/manifests/7.7.
Mar 24 03:23:22 capsule-upgrade pulp: urllib3.connectionpool:INFO: [e3a341c5] Resetting dropped connection: satellite.com
Mar 24 03:23:22 capsule-upgrade pulp: nectar.downloaders.threaded:INFO: [e3a341c5] Download succeeded: https://satellite.com:5000/v2/default_organization-dev-test_container_1112-docker_test-docker_repo_test/manifests/**********************************.
Mar 24 03:23:22 capsule-upgrade pulp: nectar.downloaders.threaded:INFO: [e3a341c5] Download succeeded: https://satellite.com:5000/v2/default_organization-dev-test_container_1112-docker_test-docker_repo_test/manifests/**********************************.
Mar 24 03:23:22 capsule-upgrade pulp: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._queue_reserved_task[d5a6487c-67b5-4417-acff-f381bedcdb74]


Didn't get any error message in satellite's crane logs.

Comment 17 Bryan Kearney 2020-04-14 13:38:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454


Note You need to log in before you can comment on or make changes to this bug.