Activationkey missing isos subscription repo

Hello Foreman support,

We would like to use foreman to host a isos repository to allow remote servers to download tar files via https.

We expected to be able to download files hosted by the isos repos using entitlement keys and certs provisioned to the client server after subscribing with the foreman host using subscription-manager. However we see this error on the Foreman server apache log when we try to fetch the file via https:

==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Fri Dec 27 21:18:32.053201 2019] [:error] [pid 25571] [client :] Request denied to destination…Client certificate failed extension check for destination:/pulp/isos/

On investigating, in the foreman ui under Activation Keys -> Repository Sets tab, we are not able to find the isos repos listed as added to the activation key.

Our foreman version is 1.20.3
I’m not sure if this is an issue due to the way we are using the foreman UI. Please if anyone can help us with the issue it would be much appreciated.



It looks like currently we don’t let you add subscriptions that only contain file content, nor let you manage repository sets of file content. The reason for this (I presume) is that it gives the false sense that the files will actually be available to the client via some automated fashion (like how yum repositories can be accessed over yum).

There are a couple of options:

  1. use the http:// version of the repository
  2. use an org’s uber cert, you can download this from the organization details page and can fetch content from any repository in the organization.

As we are integrating with pulp3, file content will able to be accessed via https without cert protection (in case you want https but don’t really want to fool with a cert).