Bug 1961886 - pulp3: Client receives 403 forbidden when fetching RHEL content when using custom certificates
Summary: pulp3: Client receives 403 forbidden when fetching RHEL content when using cu...
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: 6.10.0
Assignee: Justin Sherrill
QA Contact: Omkar Khatavkar
: 1977893 (view as bug list)
Depends On:
Blocks: 1957813
TreeView+ depends on / blocked
Reported: 2021-05-18 22:18 UTC by Eric Helms
Modified: 2021-11-24 19:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-11-16 14:10:56 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 32624 0 Normal Assigned Client receives 403 forbidden when fetching RHEL content when using custom certificates 2021-05-18 22:18:55 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:11:11 UTC

Description Eric Helms 2021-05-18 22:18:54 UTC
Discord thread: https://community.theforeman.org/t/errno-14-https-error-403-forbidden-redhat-repositories-only/21041

Katello is still using its self-signed default CA to distribute entitlement certificates. This is expected.

However, pulpcore certguard has the wrong CA configured in its database - it has picked up the Server CA, which should only be used for clients to authenticate the server certificate.

Updating the content of ca_certificate in pulpcore:certguard_rhsmcertguard fixes the issue and allows clients to access the repo.

psql -d pulpcore
pulpcore=# \set content cat /etc/pki/katello/certs/katello-default-ca-stripped.crt``
pulpcore=# update certguard_rhsmcertguard SET ca_certificate = :'content' ;

Comment 1 Eric Helms 2021-05-18 22:18:58 UTC
Created from redmine issue https://projects.theforeman.org/issues/32624

Comment 2 Eric Helms 2021-05-18 22:19:00 UTC
Upstream bug assigned to ehelms

Comment 3 Bryan Kearney 2021-05-28 10:17:52 UTC
Upstream bug assigned to jsherril

Comment 4 Bryan Kearney 2021-05-28 10:17:54 UTC
Upstream bug assigned to jsherril

Comment 5 Bryan Kearney 2021-06-07 20:02:21 UTC
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/32624 has been resolved.

Comment 6 Lukáš Hellebrandt 2021-06-16 16:15:08 UTC
FYI I've just hit this in 6.10.0 snap 4.0.

Comment 7 Justin Sherrill 2021-07-06 15:36:33 UTC
adding 6.9.z flag, as i think backporting is worth it

Comment 8 Justin Sherrill 2021-07-06 15:36:55 UTC
*** Bug 1977893 has been marked as a duplicate of this bug. ***

Comment 13 errata-xmlrpc 2021-11-16 14:10:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.