Bug 1889979 - repos valitation fails when CDN repositories are used
Summary: repos valitation fails when CDN repositories are used
Status: CLOSED DUPLICATE of bug 1882826
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-validations
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: David Peacock
QA Contact: nlevinki
Depends On:
TreeView+ depends on / blocked
Reported: 2020-10-21 06:55 UTC by Takashi Kajinami
Modified: 2020-11-04 16:05 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-11-04 16:05:27 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Takashi Kajinami 2020-10-21 06:55:18 UTC
Description of problem:

While running pre-upgrade validation[1], it was observed that repos validation fails with the following error.
=== Running validation: "repos" ===

Task 'Call repository URLs' failed:
Host: undercloud
Message: Failed to validate the SSL certificate for cdn.redhat.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618).

Even after installing CA cert for Red Hat CDN into trusted CA certs, the validation again fails because of 403 .
=== Running validation: "repos" ===

Task 'Call repository URLs' failed:
Host: undercloud
Message: Status code was 403 and not [200]: HTTP Error 403: Forbidden

[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html/framework_for_upgrades_13_to_16.1/planning-and-preparation-for-an-in-place-openstack-platform-upgrade#validating-red-hat-openstack-platform-oldvernum-before-the-upgrade

I checked the current implenmentation of repos validation, but it seems that this validation tries direct url access to the repository URLs which appear in "yum repolist".


However this doesn't work for CDN repository because
 - CA cert for CDN is not installed in systemwide CA certs
 - CDN repos doesn't accept HTTP request without authentication.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Deploy RHOSP13 with CDN repository
2. Run validation as described in the documentation[1]

Actual results:
repos validation always fails

Expected results:
repos validation doesn't fail

Additional info:

Comment 1 David Peacock 2020-11-04 16:05:27 UTC

*** This bug has been marked as a duplicate of bug 1882826 ***

Note You need to log in before you can comment on or make changes to this bug.