RHUI repository synchronization fails after enabling Simple Content Access

Solution In Progress - Updated -

Environment

Red Hat Update Infrastructure 4 (any minor version) on Red Hat Enterprise Linux 8.

Issue

With Simple Content Access (SCA), there are no pool IDs anymore. Unfortunately, this breaks the logic in RHUI which replaces the entitlement certificate if the pool ID has changed.

Resolution

On November 7, 2024, an advisory was released providing an updated version of rhui-tools that resolves this issue. Please note that some manual steps may still be needed. For detailed information about the fix and the post-update instructions, please see:

RHBA-2024:9005 - RHUI 4.10.1 bug fix update

Root Cause

Both a pool-based and an SCA certificate are used at the same time. RHUI keeps using the old one, which gets revoked eventually. To work around this issue, delete all the certificates and let RHUI re-load the latest RHSM certificate and update all repositories with it.

Diagnostic Steps

rhui-manager reports errors for all repositories in RHUI. For example, rhui-manager status prints:

Red Hat Enterprise Linux 9 for ARM 64 - BaseOS (RPMs) from RHUI (9) ....................... ERROR

In addition, the "vr" screen of Synchronization Status in the rhui-manager text user interface reports issues with HTTP 403 from the latest sync; for example:

  784 - Error      dotNET on RHEL Source RPMs for Red Hat Enterprise Linux 7 Server from RHUI (7Server-x86_64)
      403, message='Forbidden', url=URL('https://cdn.redhat.com/content/dist/rhel/rhui/server/7/7Server/x86_64/dotnet/1/source/SRPMS')

Lastly, there is more than one .pem file in /etc/pki/rhui/redhat/, and one of them is significantly larger. For example:

# ll /etc/pki/rhui/redhat/
total 200
-rw-------. 1 root root  37017 Oct 17 10:16 99d717230a5a4277ae5aaf60981d2c0e.pem
-rw-------. 1 root root 161147 Nov  5 14:01 aeaca4ac7a1c4c5baf7e683ad646ae07.pem

To confirm that the latest .pem file is an SCA certificate, run:

# rct cat-cert `ls -t /etc/pki/rhui/redhat/* | head -1` | grep -A2 Product:
Product:
    ID: content_access
    Name:  Content Access

It is not an SCA certificate if the output contains many individual product IDs.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments