Hi there,
This morning I got a bit stuck. A dynflow task created after
'subscription-manager register' failed when it got to
Actions::Pulp::Consumer::Create. It couldn't do it because it was
conflicting with another record.
So I decided to use pulp-admin to list all consumers [1]. To my
surprise, 'pulp-admin login' didn't work with the default_username
and default_password given in /etc/pulp/server.conf
The error was the one described here:
http://projects.theforeman.org/issues/12368
https://access.redhat.com/discussions/2148561
https://access.redhat.com/solutions/1295653
Apparently the pulp CA cert and private key didn't match. I decided to
check them and in fact they didn't match.
I made an script (it just gets the moduli for the certs) - and yeah, the
Pulp private key (/etc/pulp/ca.key) appears to have been signed through
a different CA than the rest.
I changed ['security'] cakey in /etc/pulp/server.conf to
/etc/pki/katello/private/katello-default-ca.key, as that one matched
/etc/pki/ca.crt
pulp-admin login
succeeds at this point! At this point I decide to
remove the consumer, and put back /etc/pki/ca.key in /etc/pulp/server.conf
I resume the task, and it 500s. Guess what was the 500 about? Mismatch
between CA private key and cert. I resume it again. 409 conflict. So
that's how I got in the situation, it created the consumer but it also
500s, and the task cannot continue because there's a consumer there
already.
At that point I put back /etc/pki/katello/private/katello-default-ca.key
in /etc/pulp/server.conf, remove the consumer, and resume the task. No
500, consumer was created fine, and my server was registered.
Two questions for all Pulp experts reading:
Does this script give you one, or two md5 signatures when ran on a
Katello host?
How is /etc/pki/pulp/ca.key created? Shouldn't we use
/etc/pki/katello/private/katello-default-ca.key? I recreated all my certs
with --certs-update-all, tried this whole thing once again, and yeah the
certs didn't match!
Thanks for reading, if you got this far
···
-- Daniel Lobato Garcia@dLobatog
blog.daniellobato.me
daniellobato.me
GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato