Discord thread: https://community.theforeman.org/t/errno-14-https-error-403-forbidden-redhat-repositories-only/21041
Katello is still using its self-signed default CA to distribute entitlement certificates. This is expected.
However, pulpcore certguard has the wrong CA configured in its database - it has picked up the Server CA, which should only be used for clients to authenticate the server certificate.
Updating the content of ca_certificate in pulpcore:certguard_rhsmcertguard fixes the issue and allows clients to access the repo.
psql -d pulpcore
pulpcore=# \set content cat /etc/pki/katello/certs/katello-default-ca-stripped.crt``
pulpcore=# update certguard_rhsmcertguard SET ca_certificate = :'content' ;
Created from redmine issue https://projects.theforeman.org/issues/32624
Upstream bug assigned to ehelms
Upstream bug assigned to jsherril
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/32624 has been resolved.
FYI I've just hit this in 6.10.0 snap 4.0.
adding 6.9.z flag, as i think backporting is worth it
*** Bug 1977893 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.