That didn't work either: * rhsmcertd is not running, disabled * rhnsd is running * rhsmd is running * Server is configured with auto-attach off in Red Hat Portal
The key worked for a couple of days, and then getting the "Error retrieving metadata: Forbidden" error again. Unless there is another issue and updating the entitlement just happens to clear that issue, I've been presuming it was an entitlement issue. On Tue, Jun 2, 2020 at 2:44 PM Gravel Bone <[email protected]> wrote: > Right, but rhsmcertd wasn't running...I'm now trying to turn off > Auto-Attach and see if that might help. > > Bob > > > On Mon, Jun 1, 2020 at 10:59 AM Bryan Kearney <[email protected]> wrote: > >> rhsmcertd is not doing the invalidation, it is pulling down the most >> up2date >> certificate. Any process you have would need to simulate that. >> >> -- bk >> >> On 5/28/20 4:18 PM, Gravel Bone wrote: >> > Also, I shut the service down and ensured it wasn't running and >> while the entitlement >> > file in /etc/pki/entitltements didn't change the syncs still failed >> with the >> > issue...so while yes, it rhsmcertd can be the culprit, there's >> something else on Red >> > Hat side maybe? >> > >> > On Thu, May 28, 2020 at 12:24 PM Myers, Mike <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > It’s 100% the rhsmcertd process that’s doing it. >From the man >> page:____ >> > >> > __ __ >> > >> > rhsmcertd - Periodically scans and updates the entitlement >> certificates on >> > a registered system.____ >> > >> > __ __ >> > >> > What I’m unclear on is why the certs get changed by Red Hat so >> often when our >> > entitlements certainly haven’t. And more importantly, what, if >> anything, we can >> > do to integrate that process more closely with Pulp.____ >> > >> > __ __ >> > >> > And to be clear, I’m not trying to call this out as a Pulp project >> problem or >> > issue, just wondering if others who use the project have insights >> or solutions >> > they’re willing to share.____ >> > >> > __ __ >> > >> > Cheers,____ >> > >> > *Mike Myers*____ >> > >> > __ __ >> > >> > __ __ >> > >> > *From: *Brian Bouterse <[email protected] <mailto: >> [email protected]>> >> > *Date: *Thursday, May 28, 2020 at 8:52 AM >> > *To: *Gravel Bone <[email protected] <mailto: >> [email protected]>> >> > *Cc: *Mike Myers <[email protected] <mailto:[email protected] >> >>, >> > "[email protected] <mailto:[email protected]>" < >> [email protected] >> > <mailto:[email protected]>> >> > *Subject: *Re: [Pulp-list] <External> Syncing Red hat Repos >> entitlement issue____ >> > >> > __ __ >> > >> > One idea to track down which process is editing those certs/files >> would be to use >> > auditd or systemtap https://unix.stackexchange.com/a/99091 >> > < >> https://urldefense.com/v3/__https:/unix.stackexchange.com/a/99091__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_Sjx08Ns$ >> > >> > Just a thought I wanted to share.____ >> > >> > __ __ >> > >> > On Thu, May 28, 2020 at 9:18 AM Gravel Bone <[email protected] >> > <mailto:[email protected]>> wrote:____ >> > >> > In this case the entitlement certs themselves aren't expired >> from a date >> > perspective, they just no longer work connecting to Red Hat. >> It's more >> > like they've been revoked because the server they are on got >> new entitlement >> > certs which is happening automatically, I just have not figured >> out how to >> > prevent that. I've tried turning of rhsmcertd, disabled >> subscription >> > management, and combinations in between.____ >> > >> > __ __ >> > >> > On Wed, May 27, 2020 at 2:23 PM Brian Bouterse < >> [email protected] >> > <mailto:[email protected]>> wrote:____ >> > >> > If the certs are short-lived, then there isn't much to do >> except ask the >> > issuer to give you longer ones. You could inspect the certs >> more closely >> > I believe using the `rct cat-crt` command. Pulp-certguard >> has some docs >> > showing an example with that tool >> > >> https://pulp-certguard.readthedocs.io/en/latest/debugging.html#checking-authorized-urls-in-rhsm-certificates >> > < >> https://urldefense.com/v3/__https:/pulp-certguard.readthedocs.io/en/latest/debugging.html*checking-authorized-urls-in-rhsm-certificates__;Iw!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_MFyqH7A$ >> >____ >> > >> > __ __ >> > >> > On Wed, May 27, 2020 at 11:20 AM Myers, Mike < >> [email protected] >> > <mailto:[email protected]>> wrote:____ >> > >> > We’ve faced that too. I’ve love some deeper insight, >> but what I’ve >> > found so far is that “rhsmcertd” process does some sort >> of >> > check/update on those certs. We’ve just set a process >> to pull those >> > from /etc/pki/entitlement into Pulp when such a failure >> occurs. It >> > would be nice if there were a Pulp native way to >> address this (short >> > of running the whole Satellite suite)____ >> > >> > ____ >> > >> > Cheers,____ >> > >> > *Mike Myers*____ >> > >> > ____ >> > >> > *From: *<[email protected] >> > <mailto:[email protected]>> on behalf of >> Gravel Bone >> > <[email protected] <mailto:[email protected]>> >> > *Date: *Wednesday, May 27, 2020 at 5:48 AM >> > *To: *"[email protected] <mailto: >> [email protected]>" >> > <[email protected] <mailto:[email protected]>> >> > *Subject: *<External>[Pulp-list] Syncing Red hat Repos >> entitlement >> > issue____ >> > >> > ____ >> > >> > This is probably something straight forward, but my >> searches have >> > found nothing...____ >> > >> > ____ >> > >> > I pull an entitlement files from our server (well three >> for three >> > different subscriptions) and create repos using them to >> sync the >> > corresponding Red Hat repository. The problem is, >> the entitlements >> > seem to expire about every month. I'm sure it's >> something I'm >> > missing that stupid obvious, but google has not been my >> friend nor >> > has the documentation...help would be appreciated...____ >> > >> > _______________________________________________ >> > Pulp-list mailing list >> > [email protected] <mailto:[email protected]> >> > https://www.redhat.com/mailman/listinfo/pulp-list >> > < >> https://urldefense.com/v3/__https:/www.redhat.com/mailman/listinfo/pulp-list__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_ppGV4nQ$ >> >____ >> > >> > >> > _______________________________________________ >> > Pulp-list mailing list >> > [email protected] >> > https://www.redhat.com/mailman/listinfo/pulp-list >> > >> >> >>
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
