Description of problem: capsule sync failed on Docker content DKR1008: Could not find registry API at https://satellite.example:5000 (Katello::Errors::PulpError) Version-Release number of selected component (if applicable): satellite-capsule-6.7.0-5.beta.el7sat.noarch pulp-docker-plugins-3.2.5-1.el7sat.noarch python-pulp-docker-common-3.2.5-1.el7sat.noarch How reproducible: New installation of 6.7 Beta Steps to Reproduce: 1. Create a product and then create a docker repo for https://registry.access.redhat.com with Docker upstream rhel OR Create a product and then create a docker repo for https://registry.redhat.io with Docker upstream rhel7.7 2. Sync the repo 3. On satellite it will sync properly, it errored when capsule sync start Content Counts Content Type Container Image Manifests 21 Container Image Manifest Lists 7 Container Image Tags 9 Actual results: Feb 25 22:42:44 vm pulp: urllib3.connectionpool:INFO: [65d03eb8] Starting new HTTPS connection (1): satellite.example.com Feb 25 22:42:44 vm pulp: nectar.downloaders.threaded:ERROR: [65d03eb8] Skipping requests to satellite.example.com:5000 due to repeated connection failures: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:618) Feb 25 22:42:44 vm pulp: pulp.server.async.tasks:INFO: [65d03eb8] Task failed : [65d03eb8-5234-4bb5-b434-4c5efda9690c] : Could not find registry API at https://satellite.example.com:5000 Feb 25 22:42:44 vm pulp: celery.app.trace:INFO: [65d03eb8] Task pulp.server.managers.repo.sync.sync[65d03eb8-5234-4bb5-b434-4c5efda9690c] raised expected: PulpCodedException() Feb 25 22:42:44 vm pulp: celery.app.trace:INFO: [2eb39e9f] Task pulp.server.async.tasks._release_resource[2eb39e9f-7bb5-4ff2-b1cc-1bd93c07f800] succeeded in 0.00347492890432s: None Expected results: Additional info: I have custom SSL configured on satellite and capsules.
It looks like this change broke this: https://projects.theforeman.org/issues/28043 We are configuring crane's CA cert to be the server ca, while we're using an uber cert to authenticate against it generated from the default CA. Ewoud, thoughts on this?
That sounds like a misconfiguration and should be configuring Katello to expect the right certificate. The question is what the right certificate is. As a user it makes a lot more sense to me be presented the server certificate because your docker/podman is more likely to have the server certificate present than the default CA. If I'm wrong, I'll gladly hear it.
The main apache server is configured with: SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt" SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt" I'd expect crane to be configured similarly ? Unless you mean that that is also wrong?
(In reply to Justin Sherrill from comment #10) > The main apache server is configured with: > > SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt" > SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt" > > I'd expect crane to be configured similarly ? Unless you mean that that is > also wrong? This is what I would expect to see for crane as well.
Created redmine issue https://projects.theforeman.org/issues/29278 from this bug
Upstream bug assigned to ehelms
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/29278 has been resolved.
Verification step: Satellite Version: 6.7 Snap16 1. Create a product and then create a docker repo for https://registry.access.redhat.com with Docker upstream rhel 2. Sync the repo, Repository synced completed successfully. 3- Trigger capsule sync and it also completed successfully # hammer capsule content synchronize --id 2 [..........................................................................................................................................................................................................] [100%] Mar 24 03:23:22 capsule-upgrade pulp: urllib3.connectionpool:INFO: [e3a341c5] Starting new HTTPS connection (34): satellite.com Mar 24 03:23:22 capsule-upgrade pulp: nectar.downloaders.threaded:INFO: [e3a341c5] Download succeeded: https://satellite.com:5000/v2/default_organization-dev-test_container_1112-docker_test-docker_repo_test/manifests/7.2-84. Mar 24 03:23:22 capsule-upgrade pulp: nectar.downloaders.threaded:INFO: [e3a341c5] Download succeeded: https://satellite.com:5000/v2/default_organization-dev-test_container_1112-docker_test-docker_repo_test/manifests/7.7. Mar 24 03:23:22 capsule-upgrade pulp: urllib3.connectionpool:INFO: [e3a341c5] Resetting dropped connection: satellite.com Mar 24 03:23:22 capsule-upgrade pulp: nectar.downloaders.threaded:INFO: [e3a341c5] Download succeeded: https://satellite.com:5000/v2/default_organization-dev-test_container_1112-docker_test-docker_repo_test/manifests/**********************************. Mar 24 03:23:22 capsule-upgrade pulp: nectar.downloaders.threaded:INFO: [e3a341c5] Download succeeded: https://satellite.com:5000/v2/default_organization-dev-test_container_1112-docker_test-docker_repo_test/manifests/**********************************. Mar 24 03:23:22 capsule-upgrade pulp: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._queue_reserved_task[d5a6487c-67b5-4417-acff-f381bedcdb74] Didn't get any error message in satellite's crane logs.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454