Chapter 13. Resolving common problems in RHUI 4

The following table lists known issues with Red Hat Update Infrastructure. If you encounter any of these issues, report the problem through Bugzilla.

Table 13.1. Common problems in Red Hat Update Infrastructure

EventDescription of known issueRecommendation

Installation and Configuration

You experience communication issues between the RHUA and the CDSs.

Verify the fully qualified domain name (FQDN) is set for the RHUA and CDS and is resolvable.

Configure the HTTP proxy properly as described in Bug 726420 – Quick note on proxy URL


You cannot synchronize repositories with Red Hat.

Verify the RHUI SKUs are in your account.

Verify the proper content certificates are loaded to the RHUA.

Look for temporary CDN issues.

Look for any HTTP proxy in your environment and make sure you are not hitting an While syncing repositories to RHUA, it fails with "RepoError: Cannot retrieve repository metadata (repomd.xml) for repository. Please verify its path and try again" when proxy used error.

The RHUA cannot synchronize to CDSs, typically due to expired qpid certificates: See CDS sync fails with error "sslv3 alert certificate expired" due to expired qpid CA certificates on RHUI for more information.

Red Hat Update Appliance/Content Delivery Network Communication

The Red Hat Update Appliance is not communicating with the Content Delivery Network.

Use the content certificate in /etc/pki/rhui/redhat (the .pem file) to test connectivity and access between the RHUA and the CDN.

# cd /etc/pki/rhui/redhatwget --certificate=8a85f98146a087b80146afacb3362499.pem --ca-certificate=/etc/rhsm/ca/redhat-uep.pem

Note from the curl (1) man page: If the NSS PEM PKCS#11 module ( is available, then PEM files may be loaded. If you want to use a file from the current directory, precede it with ./ prefix to avoid confusion with a nickname.

On each CDS, the entitlement certificate in /etc/pki/pulp/content can be used to test the availability of the RHUA content using # curl --cert ./rhui-ec2-20120619.pem.

The URL for the repositories hosted on the RHUA always start with https://fqdn/pulp/content. You can divulge the remaining URL by: -Looking at the file path on the RHUA under /var/lib/rhui/remote_share/symlinks/pulp/content/ -Examining the content certificate directly using openssl commands because the OIDs ending in 1.6 contain the path

Client/Content Delivery Server Communication

curl can be used to verify client communications with the content delivery server nodes as well.

# curl --cert /etc/pki/entitlement/product/content.crt --key /etc/pki/entitlement/key.pem https://ip-10-4-58-34.ec2.internal/pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64 /rhui/2.1/os/repodata/repomd.xml -k <?xml version="1.0" encoding="UTF-8"?> <repomd xmlns="" xmlns:rpm=""> <revision>1339940325</revision> <data type="other_db"> <location href="repodata/4f86b0ae203bba90d22a8363120c66ed6f37da81-other.sqlite.bz2"/> <checksum type="sha">4f86b0ae203bba90d22a8363120c66ed6f37da81</checksum> <timestamp>1339940328.43</timestamp>

Client/HAProxy communication

All HAProxy nodes are down. Clients have lost access to RHUI repositories.

Add and configure at least one new HAProxy node. If you cannot do so for whatever reason, temporarily change the DNS configuration so that the main load balancer host name ( in this guide) resolves to the IP address of one of your CDS nodes. This will allow the clients to avoid the unavailable HAProxy nodes and communicate with the CDS directly.