Description of problem: Katello configures the RHSM content guard with the wrong ca certificate (probably in conjunction with a custom server certificate). This leads to clients being unable to consume subscription content from Katello even when fully entitled. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: yum issues 403 errors when accessing content protected by subscriptions, but success when using custom repositories. Expected results: yum update on a system with subscription content should succeed. Additional info: `curl -vv -k -X PATCH --data-urlencode 'ca_certificate@/etc/pki/katello/certs/katello-default-ca-stripped.crt' --cert /etc/pki/katello/certs/pulp-client.crt --key /etc/pki/katello/private/pulp-client.key "https://localhost/pulp/api/v3/contentguards/certguard/rhsm/<UUID>/"` can be used to install the ca certificate that candlepin uses when creating entitlements.
This is actually a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1961886 That one is assigned to 6.10, but now that i think about it, i think its worthwhile to backport to 6.9. *** This bug has been marked as a duplicate of bug 1961886 ***
Here is the upstream change: https://github.com/Katello/katello/pull/9381