Hi,
Foreman/Katello instance upgraded last friday from 3.8/4.10 up to 3.11/4.13, and had to downgrade candelpin packages to 4.4.10 as 4.4.12 was not working at that time.
Reported this in the ticket Feedback for Foreman 3.11 & Katello 4.13 and forgot to check updates on the ticket until today…
I had a new RHEL8 VM registred today and was not able to install anything nor refresh metadata cache: exact same error 403. After checking with rct cat-cert /etc/pki/entitlement/XXX.pem command, the authorized content URL was not OK, aka contains %2F after organization name.
Following details provided on the other ticket, I installed as a workaround rng-tools, enabled the rngd service and then upgraded again candelpin from 4.4.10 to 4.4.12. It was successful this time as the liquibase runned correctly at startup (as seen in the catalina log file).
After re-registering the RHEL8 host in Katello the certificate was this time fully valid and then packages installation was finally working.
So it seems that in some cases it works “out-of-the-box” after upgrading to latest version, sometime it fails with an existing database or an empty one.
Hope this can help.
Best Regards,
Nicolas.