It does not require a certificate for authentication, options sslverify and sslcacert are only for validating the source.
The problem is they use some repository software which does not display the files and so it is hard to find out if they have some error in their repository.
We had some similar issues with Gitlab: Unable to add Gitlab-ee repo
But Grafana has always worked in the past, when I have tried!
Please post the exact repository configuration you have used. Or use “hammer repository list” to find the id of the repository and then “hammer repository info --id=” to print the config.
Do you have something configured for upstream authorization on the repository?
When I check with curl on the failed URL I only get an 404:
$ curl -v 'https://packages.grafana.com/oss/rpm/.treeinfo'
* About to connect() to packages.grafana.com port 443 (#0)
...
< HTTP/1.1 404 Not Found
...
You have configured the repository to use an http proxy. My first guess would be that your http proxy requires authentication but you don’t provide it.
What do you have configured as content credential?
# hammer content-credentials info --id 9 --organization=<ORG>
[quote=“jost, post:9, topic:22959”]
I didn’t configure any authorization
[/quote] Did you check, it’s really empty in the configuration page. The hammer command above doesn’t show it and I am not sure which one does. My browser always wants to autofill the username and password if I create a new repo and I always have to remove/clean both text fields before I submit…
What do you have set as SSL CA Cert, SSL Client Cert and SSL Client Key?
[quote=“jost, post:9, topic:22959”]
If you point your browser to this address
you cant see any rpms.
[/quote] Yes. I know. You cannot browse the repository. You I asked what curl prints out for ‘https://packages.grafana.com/oss/rpm/.treeinfo’ on that server, not in your browser…
If you want to see, what’s in the repository you have to start with the repomd file:
I didn’t set SSL CA Cert, SSL Client Cert and SSL Client Key, because if I try to import this CA bundle from /etc/pki/tls/certs/ca-bundle.crt (link to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem) into foreman then I get error:
Could not create GPG Key:
Validation failed: Content cannot be a binary file.
On my foreman server I can reach this page via curl,
Well, yes, that’s pointless anyway. That’s the collection of trusted root certificates on the system. That should be used by default, anyway, if you enable ssl verification on the repository.
Check /var/log/foreman/production.log file for errors. It should show an error at the time the sync fails.
Where did you see your error messages you have posted? I only see “Katello::Errors::PulpError: RPM1004: Error retrieving metadata: Authentication required” if I try to access a repository for which I am not authenticated…
Why do you use a http proxy if you don’t need to? Your foreman server can access the repository directly…
O.K. You are using pulp3. That’s probably why the message is different.
Have you tried it without proxy to rule that out? As curl can connect directly without problems (i.e. without a 401 error) I still think it must be your proxy which denies the access…
I am out of ideas and my environment with pulp2 and no proxy shows no problems. I guess a developer or someone with deeper insights has to tag in here. Sorry.
So, on your Foreman, you can configure Grafana repo and rpm’s are staring downloaded?
I have try curl with proxy and it also works. So there is no proxy problem.
I’m using:
katello-3.18.2-1.el7.noarch
foreman-2.3.3-1.el7.noarch
pulp-server-2.21.5-1.el7.noarch
Yes. But the file is in UTF-8 because it has some UTF-8 in the comments. A PEM certificate itself is simple pure 7 bit ASCII thus I guess it doesn’t like the UTF-8 in the file. If you make a copy of the file and remove the comments you’ll probably get it imported.
But again: you don’t need the ca-bundle. I am pretty sure, that simply enabling “Verify SSL” on a repository effectively does exactly the same. Unless you specify a specific CA certificate to use, the ssl libraries will use the system default, i.e. the ca-bundle to verify the https connection. So don’t set it. Don’t use it. If you want to be sure you can try to setup a repository pointing to a self-signed webserver to check if it is accepted or not when “Verify SSL” is enabled.
Importing ca-bundle is pointless and it also won’t accept any changes anymore which are automatically added to ca-bundle in the system.
Yes. It’s happily syncing every day and getting new updates every couple of days. But again, I am still on pulp2.
I don’t think that shows you whether you use pulp2 or pulp3. Your error messaged show pulp3 thus I guess you have made the pulp3 migration.
yes, you are right regarding importing ca-bundle.
This is a fresh installation of Foreman with version that I mention before.
So it’s look like, I will not be able to sync grafana repo which it’s pretty annoying ?
I don’t think that shows you whether you use pulp2 or pulp3. Your error messaged show pulp3 thus I guess you have made the pulp3 migration.
To verify you’re using pulp3, you can check Infrastructure > Smart Proxies > (your Foreman server) > Services tab. Look for ‘yum’ under Supported content types - if it’s listed under Pulpcore it means pulp3, ‘Pulp’ means pulp 2.