1961886 – pulp3: Client receives 403 forbidden when fetching RHEL content when using custom certificates

Bug 1961886 - pulp3: Client receives 403 forbidden when fetching RHEL content when using custom certificates

Summary: pulp3: Client receives 403 forbidden when fetching RHEL content when using cu...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	6.10.0
Assignee:	Justin Sherrill
QA Contact:	Omkar Khatavkar
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1977893 (view as bug list)
Depends On:
Blocks:	1957813
TreeView+	depends on / blocked

Reported:	2021-05-18 22:18 UTC by Eric Helms
Modified:	2021-11-24 19:00 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-16 14:10:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	32624	0	Normal	Assigned	Client receives 403 forbidden when fetching RHEL content when using custom certificates	2021-05-18 22:18:55 UTC
Red Hat Product Errata	RHSA-2021:4702	0	None	None	None	2021-11-16 14:11:11 UTC

Description Eric Helms 2021-05-18 22:18:54 UTC

Discord thread: https://community.theforeman.org/t/errno-14-https-error-403-forbidden-redhat-repositories-only/21041

<pre>
Katello is still using its self-signed default CA to distribute entitlement certificates. This is expected.

However, pulpcore certguard has the wrong CA configured in its database - it has picked up the Server CA, which should only be used for clients to authenticate the server certificate.

Updating the content of ca_certificate in pulpcore:certguard_rhsmcertguard fixes the issue and allows clients to access the repo.

psql -d pulpcore
pulpcore=# \set content cat /etc/pki/katello/certs/katello-default-ca-stripped.crt``
pulpcore=# update certguard_rhsmcertguard SET ca_certificate = :'content' ;
</pre>

Comment 1 Eric Helms 2021-05-18 22:18:58 UTC

Created from redmine issue https://projects.theforeman.org/issues/32624

Comment 2 Eric Helms 2021-05-18 22:19:00 UTC

Upstream bug assigned to ehelms

Comment 3 Bryan Kearney 2021-05-28 10:17:52 UTC

Upstream bug assigned to jsherril

Comment 4 Bryan Kearney 2021-05-28 10:17:54 UTC

Upstream bug assigned to jsherril

Comment 5 Bryan Kearney 2021-06-07 20:02:21 UTC

Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/32624 has been resolved.

Comment 6 Lukáš Hellebrandt 2021-06-16 16:15:08 UTC

FYI I've just hit this in 6.10.0 snap 4.0.

Comment 7 Justin Sherrill 2021-07-06 15:36:33 UTC

adding 6.9.z flag, as i think backporting is worth it

Comment 8 Justin Sherrill 2021-07-06 15:36:55 UTC

*** Bug 1977893 has been marked as a duplicate of this bug. ***

Comment 13 errata-xmlrpc 2021-11-16 14:10:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702

Note You need to log in before you can comment on or make changes to this bug.