It’s 100% the rhsmcertd process that’s doing it. From the man page:
rhsmcertd - Periodically scans and updates the entitlement certificates
on a registered system.
What I’m unclear on is why the certs get changed by Red Hat so often when our
entitlements certainly haven’t. And more importantly, what, if anything, we
can do to integrate that process more closely with Pulp.
And to be clear, I’m not trying to call this out as a Pulp project problem or
issue, just wondering if others who use the project have insights or solutions
they’re willing to share.
Cheers,
Mike Myers
From: Brian Bouterse <[email protected]>
Date: Thursday, May 28, 2020 at 8:52 AM
To: Gravel Bone <[email protected]>
Cc: Mike Myers <[email protected]>, "[email protected]"
<[email protected]>
Subject: Re: [Pulp-list] <External> Syncing Red hat Repos entitlement issue
One idea to track down which process is editing those certs/files would be to
use auditd or systemtap
https://unix.stackexchange.com/a/99091<https://urldefense.com/v3/__https:/unix.stackexchange.com/a/99091__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_Sjx08Ns$>
Just a thought I wanted to share.
On Thu, May 28, 2020 at 9:18 AM Gravel Bone
<[email protected]<mailto:[email protected]>> wrote:
In this case the entitlement certs themselves aren't expired from a date
perspective, they just no longer work connecting to Red Hat. It's more like
they've been revoked because the server they are on got new entitlement certs
which is happening automatically, I just have not figured out how to prevent
that. I've tried turning of rhsmcertd, disabled subscription management, and
combinations in between.
On Wed, May 27, 2020 at 2:23 PM Brian Bouterse
<[email protected]<mailto:[email protected]>> wrote:
If the certs are short-lived, then there isn't much to do except ask the issuer
to give you longer ones. You could inspect the certs more closely I believe
using the `rct cat-crt` command. Pulp-certguard has some docs showing an
example with that tool
https://pulp-certguard.readthedocs.io/en/latest/debugging.html#checking-authorized-urls-in-rhsm-certificates<https://urldefense.com/v3/__https:/pulp-certguard.readthedocs.io/en/latest/debugging.html*checking-authorized-urls-in-rhsm-certificates__;Iw!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_MFyqH7A$>
On Wed, May 27, 2020 at 11:20 AM Myers, Mike
<[email protected]<mailto:[email protected]>> wrote:
We’ve faced that too. I’ve love some deeper insight, but what I’ve found so
far is that “rhsmcertd” process does some sort of check/update on those certs.
We’ve just set a process to pull those from /etc/pki/entitlement into Pulp when
such a failure occurs. It would be nice if there were a Pulp native way to
address this (short of running the whole Satellite suite)
Cheers,
Mike Myers
From: <[email protected]<mailto:[email protected]>> on
behalf of Gravel Bone <[email protected]<mailto:[email protected]>>
Date: Wednesday, May 27, 2020 at 5:48 AM
To: "[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: <External>[Pulp-list] Syncing Red hat Repos entitlement issue
This is probably something straight forward, but my searches have found
nothing...
I pull an entitlement files from our server (well three for three different
subscriptions) and create repos using them to sync the corresponding Red Hat
repository. The problem is, the entitlements seem to expire about every
month. I'm sure it's something I'm missing that stupid obvious, but google
has not been my friend nor has the documentation...help would be appreciated...
_______________________________________________
Pulp-list mailing list
[email protected]<mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/pulp-list<https://urldefense.com/v3/__https:/www.redhat.com/mailman/listinfo/pulp-list__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_ppGV4nQ$>
_______________________________________________
Pulp-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pulp-list
