After setting up a new Katello installation everything seems to be
configured correctly but when a registered client tries to access a
repository it gets denied because of a certificate issue. I've double
checked that /etc/candlepin/certs/candlepin-ca.crt on the Katello server is
identical to /etc/rhsm/ca/candlepin-local.pem on the client. I made sure
there is content view for the environment and the client registration shows
it in that environment. Not sure where to start digging next.
When a yum update is command is issued on the client:
[root@gancvm22 ~]# yum update
Loaded plugins: security
https://gancupdate1.innotrac.com/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml:
[Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403
Forbidden"
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository:
rhel-6-server-rpms. Please verify its path and try again
This is the error message from the Katello server.
==> httpd/ssl_kt_error_log <==
[Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] Request denied to
destination
[/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml]Client
certificate failed extension check for destination:
/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml
[Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] mod_wsgi
(pid=29137): Client denied by server configuration:
'/var/www/pub/https/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml'.
I hotwired authentication by editing /srv/pulp/repo_auth.wsgi and having it
always return true. This allows the update process to work but I'm still
working on fixing authentication.
···
On Monday, June 16, 2014 12:51:37 PM UTC-4, Jacob Wyatt wrote:
>
> After setting up a new Katello installation everything seems to be
> configured correctly but when a registered client tries to access a
> repository it gets denied because of a certificate issue. I've double
> checked that /etc/candlepin/certs/candlepin-ca.crt on the Katello server is
> identical to /etc/rhsm/ca/candlepin-local.pem on the client. I made sure
> there is content view for the environment and the client registration shows
> it in that environment. Not sure where to start digging next.
>
> When a yum update is command is issued on the client:
> [root@gancvm22 ~]# yum update
> Loaded plugins: security
>
> https://gancupdate1.innotrac.com/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml:
> [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403
> Forbidden"
> Trying other mirror.
> Error: Cannot retrieve repository metadata (repomd.xml) for repository:
> rhel-6-server-rpms. Please verify its path and try again
>
> This is the error message from the Katello server.
> ==> httpd/ssl_kt_error_log <==
> [Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] Request denied
> to destination
> [/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml]Client
> certificate failed extension check for destination:
> /pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml
> [Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] mod_wsgi
> (pid=29137): Client denied by server configuration:
> '/var/www/pub/https/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml'.
>
>
>
Jakob,
I know this is super old post but did you manged to sort it out?
I just installed foreman in lab and ended up in exactly same situation.
Karlis
···
On Monday, 16 June 2014 18:51:37 UTC+2, Jacob Wyatt wrote:
>
> After setting up a new Katello installation everything seems to be
> configured correctly but when a registered client tries to access a
> repository it gets denied because of a certificate issue. I've double
> checked that /etc/candlepin/certs/candlepin-ca.crt on the Katello server is
> identical to /etc/rhsm/ca/candlepin-local.pem on the client. I made sure
> there is content view for the environment and the client registration shows
> it in that environment. Not sure where to start digging next.
>
> When a yum update is command is issued on the client:
> [root@gancvm22 ~]# yum update
> Loaded plugins: security
>
> https://gancupdate1.innotrac.com/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml:
> [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403
> Forbidden"
> Trying other mirror.
> Error: Cannot retrieve repository metadata (repomd.xml) for repository:
> rhel-6-server-rpms. Please verify its path and try again
>
> This is the error message from the Katello server.
> ==> httpd/ssl_kt_error_log <==
> [Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] Request denied
> to destination
> [/pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml]Client
> certificate failed extension check for destination:
> /pulp/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml
> [Mon Jun 16 12:40:36 2014] [error] [client 192.168.2.182] mod_wsgi
> (pid=29137): Client denied by server configuration:
> '/var/www/pub/https/repos/Innotrac/prod/allrepos/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml'.
>
>
>