Problem after update of SSL certificates



Hello all,

Probably it is user problem. I may not understand /usr/bin/katello-rhsm-consumer behaviour.

I did update of SSL certificates for scenario katello.

I used utility /sbin/katello-certs-check -c /etc/pki/pr0mgm01-ssl/pr0mgm01_encrypted.crt -k /etc/pki/pr0mgm01-ssl/pr0mgm01_encrypted_pem.key -b /etc/pki/pr0mgm01-ssl/pr0mgm01_cabundle.pem

It generated command after validation, i run that command, successfully finished, Web interface run with green lock SSL icon.

So my clients(consumers) are not able to yum update because they do not know CA which signed new certificate.

I understand, that i have to download and install

curl --insecure --output katello-ca-consumer-latest.noarch.rpm

But there is problem.
On newly installed server /usr/bin/katello-rhsm-consumer script works as expected.

If i am going to reinstall on already registered servers, it replace our server in /etc/rhsm/rhsm.conf with from /etc/rhsm/rhsm.conf.kat-backup, so i need to re-run /usr/bin/katello-rhsm-consumer one more time and it fix it.

Is it correct behaviour ?



… or remove /etc/rhsm/rhsm.conf.kat-backup before reinstall katello-ca-consumer-latest.noarch.rpm
I do not know how cdn.redhat server appeared in this configuration, that server was CentOS all the time.


I usually switch a host to a new Katello by removing the old katello-ca-cert rpm and installing the new one. You shouldn’t have to manually edit /etc/rhsm/rhsm.conf.

# Remove the old CA consumer RPM
rpm -qa | grep katello-ca-consumer
yum remove <katello-ca-consumer rpm>
# Install the new CA consumer RPM
curl --insecure --output katello-ca-consumer-latest.noarch.rpm <katello>/pub/katello-ca-consumer-latest.noarch.rpm
yum install katello-ca-consumer-latest.noarch.rpm

You might want to unregister your host using subscription manager before removing the CA consumer RPM, or you can force register after installing the new CA consumer.



That is problem. I do not edit /etc/rhsm/rhsm.conf manually.
I install CentOS host with create host in foreman, then register it with standard process.

So for updating SSL certificates via katello-ca-consumer-latest.noarch.rpm, i did ansible task for removing /etc/rhsm/rhsm.conf.kat-backup and then update katello-ca-consumer-latest.noarch.rpm

I have no idea, why /etc/rhsm/rhsm.conf contains wrong foreman server (cdn.redhat. .com) if /etc/rhsm/rhsm.conf.kat-backup with that information was present during reinstall certificates.

If it was not removed before update, it is necessary to update katello-ca-consumer-latest.noarch.rpm one more time, or run manually /usr/bin/katello-rhsm-consumer .


I don’t think removing rhsm.conf.kat-backup does anything. Did you try removing the RPM and installing from the new one as I showed above?



No i did not uninstall that package. I tried to reinstall it.
I removed rhsm.conf.kat-backup on 300 servers and updated katello-ca-consumer-latest.noarch.rpm .
Configuration is fine with proper Foreman hostname.

Do I have to uninstall and install every package i need to reinstall ?
Should not be done it with pre and post steps during rpm installation ?


I don’t think you can just upgrade this RPM because the version of the new RPM isn’t greater than the old RPM. You must uninstall and reinstall the new one, as far as I know.


If i check
yum info katello-ca-consumer-latest.noarch.rpm
it has higher release number.


Really? I always get version 1, release 1:

# yum info katello-ca-consumer-centos7-devel.virbr0.akofink-desktop-1.0-1.noarch
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager
This system is registered with an entitlement server, but is not receiving updates. You can use subscription-manager to assign subscriptions.
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
Installed Packages
Name        : katello-ca-consumer-centos7-devel.virbr0.akofink-desktop
Arch        : noarch
Version     : 1.0
Release     : 1
Size        : 16 k
Repo        : installed
Summary     : Subscription-manager consumer certificate for Katello instance centos7-devel.virbr0.akofink-desktop
License     : GPL
Description : Consumer certificate and post installation script that configures rhsm.

What do you get?


Release 6

Dec 06 14:25:28 Updated:

Installed Packages
Name :
Arch : noarch
Version : 1.0
Release : 6
Size : 15 k
Repo : installed
Summary : Subscription-manager consumer certificate for Katello instance
License : GPL
Description : Consumer certificate and post installation script that configures rhsm.

I think it is not moving anywhere.
Everything I wrote is questioned.

I found how to fix it, i just wanted to know, if it is normal behaviour and how looks rhsm.conf.kat-backup for other users.


When you install the katello-ca-consumer rpm, it runs cp /etc/rhsm/rhsm.conf /etc/rhsm/rhsm.conf.kat-backup. When you uninstall the rpm, it might copy the file back (though I’m not positive). So this file is not guaranteed to be the same for every user, and it’s not used by Katello at all (it’s just a backup so we don’t completely throw out the old file).


But I am not uninstalling that.

I am updating katello-ca-consumer-latest.rpm , this package contain only script /usr/bin/katello-rhsm-consumer . After first update it has wrong rhsm.conf. Then it is possible reinstall for second time, and it is correct rhsm.conf or run manually updated /usr/bin/katello-rhsm-consumer and it fix it too. (or third possibility is remove rhsm.conf.kat-backup before update)


Ok, sorry - I misunderstood what was happening. Could you please share the exact steps to reproduce the behavior? Also which version of Katello is this?


Our foreman is running for 2 years, we upgraded it from 1.13 to 1.18.3 (not at once)
Week ago i wanted to add SSL certificates signed by our corporate CA.

All went smooth and i understand that already registered clients does not know signed authority.

So we had roll out katello-ca-consumer-latest.rpm to clients.

It contain script /usr/bin/katello-rhsm-consumer which update /etc/pki/ca-trust/source/anchors with new certificates. But after update i found, that reinstall of package changed /etc/rhsm/rhsm.conf with server from /etc/rhsm/rhsm.conf.kat-backup .

I found 3 workarounds how to set correct /etc/rhsm/rhsm.conf

  1. reinstall same katello-ca-consumer-latest.rpm
  2. manually run updated /usr/bin/katello-rhsm-consumer
  3. delete /etc/rhsm/rhsm.conf.kat-backup with wrong hostname before reinstalling katello-ca-consumer-latest.rpm

Wrong informations:
hostname =
prefix = /subscription

hostname =
prefix = /rhsm

My question is, where it gets that redhat hostname, when my client is Centos and Foreman server is Centos. And if anyone else has similar rhsm.conf.kat-backup with wrong data.

I did quick check on /usr/bin/katello-rhsm-consumer, but i did not find anything.


When you first install subscription-manager, /etc/rhsm/rhsm.conf is created with the Red Hat hostname. This is the typical configuration for talking to RHSM. The following is on a fresh centos 7 box:

$ cat /etc/rhsm/rhsm.conf
cat: /etc/rhsm/rhsm.conf: No such file or directory

$ yum install -y subscription-manager

$ cat /etc/rhsm/rhsm.conf
# Red Hat Subscription Manager Configuration File:

# Unified Entitlement Platform Configuration
# Server hostname:
hostname =

# Server prefix:
prefix = /subscription

# Server port:
port = 443

# Set to 1 to disable certificate validation:
insecure = 0

# Set the depth of certs which should be checked
# when validating a certificate
ssl_verify_depth = 3

# an http proxy server to use
proxy_hostname =

# port for http proxy server
proxy_port =

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

# host/domain suffix blacklist for proxy, if needed
no_proxy =

# Content base URL:
baseurl =

# Repository metadata GPG key URL:
repomd_gpg_url =

# Server CA certificate location:
ca_cert_dir = /etc/rhsm/ca/

# Default CA cert to use when generating yum repo configs:
repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem

# Where the certificates should be stored
productCertDir = /etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer

# Manage generation of yum repositories for subscribed content:
manage_repos = 1

# Refresh repo files with server overrides on every yum command
full_refresh_on_yum = 0

# If set to zero, the client will not report the package profile to
# the subscription management service.
report_package_profile = 1

# The directory to search for subscription manager plugins
pluginDir = /usr/share/rhsm-plugins

# The directory to search for plugin configuration files
pluginConfDir = /etc/rhsm/pluginconf.d

# Manage automatic enabling of yum/dnf plugins (product-id, subscription-manager)
auto_enable_yum_plugins = 1

# Inotify is used for monitoring changes in directories with certificates.
# Currently only the /etc/pki/consumer directory is monitored by the
# rhsm.service. When this directory is mounted using a network file system
# without inotify notification support (e.g. NFS), then disabling inotify
# is strongly recommended. When inotify is disabled, periodical directory
# polling is used instead.
inotify = 1

# Interval to run cert check (in minutes):
certCheckInterval = 240
# Interval to run auto-attach (in minutes):
autoAttachInterval = 1440
# If set to zero, the checks done by the rhsmcertd daemon will not be splayed (randomly offset)
splay = 1

default_log_level = INFO
# subscription_manager = DEBUG
# subscription_manager.managercli = DEBUG
# rhsm = DEBUG
# rhsm.connection = DEBUG
# rhsm-app = DEBUG
# rhsm-app.rhsmd = DEBUG

This is expected behavior of subscription-manager.


Ok. I understand where it takes from.

Next question is, why it is moved from rhsm.conf.kat-backup to rhsm.conf after reinstall of katello-ca-consumer-latest.rpm with new SSL certificates.


This might be a bug. It should move rhsm.conf.kat-backup to rhsm.conf after uninstall and move rhsm.conf to rhsm.conf.kat-backup on install. When I run yum reinstall ./katello-ca-consumer-latest.noarch.rpm, the /etc/rhsm/ folder remains unchanged. Is that what you’re running as well? I believe this behavior comes from the postun script here.


It looks like it’s already reported as . I went ahead and cloned it for Katello as well. Thanks for bringing it to our attention! On which version of Foreman/Katello do you see this?