Bug 1977893 - [pulp3] Pulp contentguard using wrong ca certificate leads to permission denied on consumers
Summary: [pulp3] Pulp contentguard using wrong ca certificate leads to permission deni...
Keywords:
Status: CLOSED DUPLICATE of bug 1961886
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Subscription Management
Version: 6.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: 6.10.0
Assignee: satellite6-bugs
QA Contact: Cole Higgins
URL:
Whiteboard:
Depends On:
Blocks: 1957813
TreeView+ depends on / blocked
 
Reported: 2021-06-30 16:27 UTC by Matthias Dellweg
Modified: 2021-07-06 15:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-06 15:36:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Matthias Dellweg 2021-06-30 16:27:49 UTC
Description of problem:
Katello configures the RHSM content guard with the wrong ca certificate (probably in conjunction with a custom server certificate). This leads to clients being unable to consume subscription content from Katello even when fully entitled.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
yum issues 403 errors when accessing content protected by subscriptions,
but success when using custom repositories.


Expected results:
yum update on a system with subscription content should succeed.


Additional info:
`curl -vv -k -X PATCH  --data-urlencode 'ca_certificate@/etc/pki/katello/certs/katello-default-ca-stripped.crt' --cert /etc/pki/katello/certs/pulp-client.crt --key /etc/pki/katello/private/pulp-client.key "https://localhost/pulp/api/v3/contentguards/certguard/rhsm/<UUID>/"`
can be used to install the ca certificate that candlepin uses when creating entitlements.

Comment 3 Justin Sherrill 2021-07-06 15:36:57 UTC
This is actually a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1961886  

That one is assigned to 6.10, but now that i think about it, i think its worthwhile to backport to 6.9.

*** This bug has been marked as a duplicate of bug 1961886 ***

Comment 4 Justin Sherrill 2021-07-06 15:38:01 UTC
Here is the upstream change:  https://github.com/Katello/katello/pull/9381


Note You need to log in before you can comment on or make changes to this bug.