Description of problem: At present in RHUI 3, MS is using repo paths with prefix "pulp/repos" as a prefix of rhui repos. SO as to enable the migration of exiting client requests with the same content certificate, we need to call RHUI 4 CDS. We tried rewriting uri to "/pulp/content" in the nginx config but the auth service running on RHUI4 is checking "HTTP_X_ORIGINAL_URI" to get the repo path and then matches with the content certificate. Because of this, even after having the same content.crt file RHUI CDS is not able to authenticate the https requests with any URIs other than those starting with "pulp/content". Version-Release number of selected component (if applicable): rhui-tools-4.1.0.6-1.el8ui.noarch rhui-installer-4.1.0.4-1.el8ui.noarch rhui-tools-libs-4.1.0.6-1.el8ui.noarch How reproducible: Always Steps to Reproduce: 1. Install RHUI 4 2. Hit RHUI 4 CDS with yum command with RHUI 3 client packages on azure or curl with repo path starting with /pulp/repos Actual results: Getting 403 access denied 022-04-20 08:13:14,308 [1676943] [WARNING] Access DENIED to 52.183.63.106 for /pulp/repos/content/dist/rhel8/rhui/8/x86_64/baseos/os/repodata/repomd.xml: Requested path is not a subpath of a path in the client certificate. Expected results: 200 success since using the same content cert in rhui CDS. Additional info: The workaround is to configure NGinx to return "301 permanently moved" from RHUI CDS and then yum can make a call with pulp/content/ path.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: RHUI 4.1.1 release - Security Fixes and Enhancement Update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5602