I am experiencing the following issues and I am hoping that someone will be able to help me or point me in the right direction.
Problem:
RHEL 7 Clients registered to the Foreman smart proxy are getting 403 errors on the RHEL repos. Other non-rhel repos like epel, puppet6, etc that exist on the same content view are fine.
Rhel 7 Clients registered to the main foreman servers are fine.
The published content view is synced to the foreman smart proxy and both foreman and smart proxy are installed in CentOS 7.
subscription-manager list
Product Name: Red Hat Enterprise Linux Server
Product ID: 69
Version: 7.9
Arch: x86_64
Status: Subscribed
Status Details:
Starts: 12/05/20
Ends: 12/05/21
yum repolist
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
epel7 | 2.3 kB 00:00:00
foreman_clients_el_7 | 2.3 kB 00:00:00
puppet6_el_7 | 2.0 kB 00:00:00
https://foremansmartproxy.mycompany.com/pulp/content/mycompany/DEV/RHEL_7/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
To address this issue please refer to the below knowledge base article
https://access.redhat.com/solutions/69319
If above article doesn't help to resolve this issue please open a ticket with Red Hat Support.
epel7/primary | 4.9 MB 00:00:00
epel7 13585/13585
foreman_clients_el_7/primary | 5.1 kB 00:00:00
foreman_clients_el_7 16/16
puppet6_el_7/primary | 183 kB 00:00:00
puppet6_el_7 294/294
https://foreman-smartproxy.mycompany.com/pulp/content/mycompany/DEV/RHEL_7/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
repo id repo name status
epel7 epel7 13585
foreman_clients_el_7 foreman_clients_el_7 16
puppet6_el_7 puppet6_el_7 294
rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server (RPMs) 0
repolist: 13895
Expected outcome:
Clients should be able to fetch RHEL 7 rpms from smart proxy.
Foreman and Proxy versions:
Foreman 2.4, Katello 4.0.
Foreman and Proxy plugin versions:
Foreman 2.4, Katello 4.0.
Distribution and version:
CentOS Linux release 7.9.2009 (Core)
Other relevant data: Content Sync Smart proxy is synchronized Last sync: 2021-05-04 10:50:41 -0500
You’ll have to use the client certificate to access the repo. To check if it works, check the repo file /etc/yum.repos.d/redhat.repo. Look for the repository with the problem, i.e. rhel-7-server-rpms. It looks something like this:
But if I try to fetch repomd.xml or any other content from foreman smart proxy using the same entitlement, that’s when I get the 403 as follows:
[root@rhel7-client entitlement]# curl --cert /etc/pki/entitlement/1373568910360318289.pem --key /etc/pki/entitlement/1373568910360318289-key.pem https://ForemanSmartProxy.example.com/pulp/content/ORG/DEV/RHEL_7/content/dist/rhel/server/7/7Server
/x86_64/os/repodata/repomd.xml
403: A client certificate was not received via the `X-CLIENT-CERT` header.[root@rhel7-client entitlement]#
Also did subscription-manager refresh with no luck.
I have the same issue on my new Katello 4.0 deployment. I also confirmed the same issue is present on 3.17 and 3.18. In my situation I am using custom SSL certificates on Katello and Smart Proxies. Also the only way the Katello server would work correctly is to deploy using the default self signed SSL certificates then update to my custom certs. I did update my SSL certificates to include the required extensions stated in the install document. My previous server with pulp 2 worked just fine without them until I migrated content to pulp 3. Subscription manager and non-RHEL repositories work fine through the smart proxy. The only issue left is this 403 error on RHEL repos.
You’ll just want to clear this out after the backport, and the installer should help with that by throwing an error once the fix is officially available.
I have kinda the same problem and nothing mentioned seems to help.
Problem is when i trying to start RHEL8 installation in kickstart i have AppStream repo pointed like this.
Install fails as it can not access AppStream repo.
But katello does not allow to share AppStream repo via http as it requires certificates to access RHEL repos and it can only be seen with client certificate which can not be provided in kickstart install.
Is there are any workaround for this ?
I need to be able to access RHEL repos without ssl certificate.
Thanks
You need to sync the Appstream kickstart repos, too, then you can use repo --name AppStream --baseurl http://katello.server.com/pulp/repos/BB/Library/content/dist/rhel8/8.9/x86_64/appstream/kickstart
Thank you a lot. Seems like i sorted out. Anyway i needed to resync everything as you said and repos in kickstart should look like this, then it will work.