This morning I got a bit stuck. A dynflow task created after
'subscription-manager register' failed when it got to
Actions::Pulp::Consumer::Create. It couldn't do it because it was
conflicting with another record.
So I decided to use pulp-admin to list all consumers . To my
surprise, 'pulp-admin login' didn't work with the default_username
and default_password given in /etc/pulp/server.conf
Apparently the pulp CA cert and private key didn't match. I decided to
check them and in fact they didn't match.
I made an script (it just gets the moduli for the certs) - and yeah, the
Pulp private key (/etc/pulp/ca.key) appears to have been signed through
a different CA than the rest.
I changed ['security'] cakey in /etc/pulp/server.conf to
/etc/pki/katello/private/katello-default-ca.key, as that one matched
pulp-admin login succeeds at this point! At this point I decide to
remove the consumer, and put back /etc/pki/ca.key in /etc/pulp/server.conf
I resume the task, and it 500s. Guess what was the 500 about? Mismatch
between CA private key and cert. I resume it again. 409 conflict. So
that's how I got in the situation, it created the consumer but it also
500s, and the task cannot continue because there's a consumer there
At that point I put back /etc/pki/katello/private/katello-default-ca.key
in /etc/pulp/server.conf, remove the consumer, and resume the task. No
500, consumer was created fine, and my server was registered.
Two questions for all Pulp experts reading:
Does this script give you one, or two md5 signatures when ran on a
How is /etc/pki/pulp/ca.key created? Shouldn't we use
/etc/pki/katello/private/katello-default-ca.key? I recreated all my certs
with --certs-update-all, tried this whole thing once again, and yeah the
certs didn't match!
Thanks for reading, if you got this far