Subscription manager issue when trying to register new host

Ricardo · May 26, 2021, 10:12am

Problem: Subscription manager issue on severver host

Expected outcome:

Foreman and Proxy versions: Foreman Version 1.20.3

Foreman and Proxy plugin versions:

Distribution and version:

Other relevant data:
Forbidden: Invalid credentials for request.
[root@fhi0150testsat02 rhsm]# til
-bash: til: command not found
[root@fhi0150testsat02 rhsm]# tail /var/log/rhsm/rhsm.log
File “/usr/lib64/python2.7/site-packages/rhsm/connection.py”, line 733, in request_post
return self._request(“POST”, method, params, headers=headers)
File “/usr/lib64/python2.7/site-packages/rhsm/connection.py”, line 756, in _request
info=info, headers=headers)
File “/usr/lib64/python2.7/site-packages/rhsm/connection.py”, line 631, in _request
self.validateResponse(result, request_type, handler)
File “/usr/lib64/python2.7/site-packages/rhsm/connection.py”, line 707, in validateResponse
handler=handler)
ForbiddenException: Server error attempting a POST to /rhsm/consumers?owner=IBD-COHI&activation_keys=IBD-COHI-RH7-PROD returned status 403
Forbidden: Invalid credentials for request.

ehelms · May 26, 2021, 12:01pm

Can you share the subscription manager command you ran? You can replace specifics with for example.

Ricardo · May 26, 2021, 12:11pm

thanks for your answer, i am running this command from host
subscription manager record --org = “IBD-COHI” --activationkey = “IBD-COHI-RH7-PROD” --force

Ricardo · May 26, 2021, 12:14pm

And this is a Activation Key setting on Foreman Web Site

Ricardo · May 26, 2021, 12:17pm

Production Key too

jeremylenz · May 26, 2021, 2:54pm

Is sub-man trying to connect to the wrong server? The server it’s trying to talk to will be in /etc/rhsm/rhsm.conf

Ricardo · May 26, 2021, 3:14pm

helo jeremylenz , thanks for youur answered , this is a content to the rhsm.conf file , and this is a ip for the foreman server 172.22.27.141:443

[root@fhi0150testsat02 rhsm]# cat /etc/rhsm/rhsm.conf

Red Hat Subscription Manager Configuration File:

Unified Entitlement Platform Configuration

[server]

Server hostname:

hostname = 172.22.27.141

Server prefix:

prefix = /rhsm

Server port:

port = 443

Set to 1 to disable certificate validation:

insecure = 1

Set the depth of certs which should be checked

when validating a certificate

ssl_verify_depth = 3

an http proxy server to use

proxy_hostname =

The scheme to use for the proxy when updating repo definitions, if needed

e.g. http or https

proxy_scheme = http

port for http proxy server

proxy_port =

user name for authenticating to an http proxy, if needed

proxy_user =

password for basic http proxy auth, if needed

proxy_password =

host/domain suffix blacklist for proxy, if needed

no_proxy =

[rhsm]

Content base URL:

baseurl = https://172.22.27.141/pulp/repos

Repository metadata GPG key URL:

repomd_gpg_url =

Server CA certificate location:

ca_cert_dir = /etc/rhsm/ca/

Default CA cert to use when generating yum repo configs:

repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem

Where the certificates should be stored

productCertDir = /etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer

Manage generation of yum repositories for subscribed content:

manage_repos = 1

Refresh repo files with server overrides on every yum command

full_refresh_on_yum = 0

If set to zero, the client will not report the package profile to

the subscription management service.

report_package_profile = 1

The directory to search for subscription manager plugins

pluginDir = /usr/share/rhsm-plugins

The directory to search for plugin configuration files

pluginConfDir = /etc/rhsm/pluginconf.d

Manage automatic enabling of yum/dnf plugins (product-id, subscription-manager)

auto_enable_yum_plugins = 1

Run the package profile on each yum/dnf transaction

package_profile_on_trans = 0

Inotify is used for monitoring changes in directories with certificates.

Currently only the /etc/pki/consumer directory is monitored by the

rhsm.service. When this directory is mounted using a network file system

without inotify notification support (e.g. NFS), then disabling inotify

is strongly recommended. When inotify is disabled, periodical directory

polling is used instead.

inotify = 1

[rhsmcertd]

Interval to run cert check (in minutes):

certCheckInterval = 240

Interval to run auto-attach (in minutes):

autoAttachInterval = 1440

If set to zero, the checks done by the rhsmcertd daemon will not be splayed (randomly offset)

splay = 1

If set to 1, rhsmcertd will not execute.

disable = 0

[rhsmd]

The time in seconds we will allow the rhsmd cron job to run before terminating the process.

processTimeout = 300

[logging]
default_log_level = INFO

subscription_manager = DEBUG

subscription_manager.managercli = DEBUG

rhsm = DEBUG

rhsm.connection = DEBUG

rhsm-app = DEBUG

rhsm-:app.rhsmd = DEBUG

[root@fhi0150testsat02 rhsm]#

Ricardo · May 31, 2021, 6:28am

Hello, this is the content of the rhsm.conf file, as you can see in the server section, it has the foreman’s server data, by ip I can change it by name but it will surely give the same failure, I have tried communication through port 443 from this server and it is correct Screenshot_2607

[root@fhi0150testsat02 rhsm]# cat /etc/rhsm/rhsm.conf

Red Hat Subscription Manager Configuration File:

Unified Entitlement Platform Configuration

[server]

Server hostname:

hostname = 172.22.27.141

Server prefix:

prefix = /rhsm

Server port:

port = 443

Set to 1 to disable certificate validation:

insecure = 1

Set the depth of certs which should be checked

when validating a certificate

ssl_verify_depth = 3

an http proxy server to use

proxy_hostname =

The scheme to use for the proxy when updating repo definitions, if needed

e.g. http or https

proxy_scheme = http

port for http proxy server

proxy_port =

user name for authenticating to an http proxy, if needed

proxy_user =

password for basic http proxy auth, if needed

proxy_password =

host/domain suffix blacklist for proxy, if needed

no_proxy =

[rhsm]

Content base URL:

baseurl = https://172.22.27.141/pulp/repos

Repository metadata GPG key URL:

repomd_gpg_url =

Server CA certificate location:

ca_cert_dir = /etc/rhsm/ca/

Default CA cert to use when generating yum repo configs:

repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem

Where the certificates should be stored

productCertDir = /etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer

Manage generation of yum repositories for subscribed content:

manage_repos = 1

Refresh repo files with server overrides on every yum command

full_refresh_on_yum = 0

If set to zero, the client will not report the package profile to

the subscription management service.

report_package_profile = 1

The directory to search for subscription manager plugins

pluginDir = /usr/share/rhsm-plugins

The directory to search for plugin configuration files

pluginConfDir = /etc/rhsm/pluginconf.d

Manage automatic enabling of yum/dnf plugins (product-id, subscription-manager)

auto_enable_yum_plugins = 1

Run the package profile on each yum/dnf transaction

package_profile_on_trans = 0

Inotify is used for monitoring changes in directories with certificates.

Currently only the /etc/pki/consumer directory is monitored by the

rhsm.service. When this directory is mounted using a network file system

without inotify notification support (e.g. NFS), then disabling inotify

is strongly recommended. When inotify is disabled, periodical directory

polling is used instead.

inotify = 1

[rhsmcertd]

Interval to run cert check (in minutes):

certCheckInterval = 240

Interval to run auto-attach (in minutes):

autoAttachInterval = 1440

If set to zero, the checks done by the rhsmcertd daemon will not be splayed (randomly offset)

splay = 1

If set to 1, rhsmcertd will not execute.

disable = 0

[rhsmd]

The time in seconds we will allow the rhsmd cron job to run before terminating the process.

processTimeout = 300

[logging]
default_log_level = INFO

subscription_manager = DEBUG

subscription_manager.managercli = DEBUG

rhsm = DEBUG

rhsm.connection = DEBUG

rhsm-app = DEBUG

rhsm-:app.rhsmd = DEBUG

[root@fhi0150testsat02 rhsm]#

Ricardo · May 31, 2021, 6:39am

I have changed the server for the fqdn and now I have this error when registering

Server error attempting a POST to /rhsm/consumers?owner=IBD-COHI&activation_keys=IBD-COHI-RH7-P
ROD returned status 404

2021-05-31 08:36:41,313 [ERROR] subscription-manager:174436:MainThread @managercli.py:217 - Error during registration:
Server error attempting a POST to /rhsm/consumers?owner=IBD-COHI&activation_keys=IBD-COHI-RH7-PROD returned status 40
4
2021-05-31 08:36:41,313 [ERROR] subscription-manager:174436:MainThread @managercli.py:218 - Server error attempting a
POST to /rhsm/consumers?owner=IBD-COHI&activation_keys=IBD-COHI-RH7-PROD returned status 404
Traceback (most recent call last):
File “/usr/lib64/python2.7/site-packages/subscription_manager/managercli.py”, line 1389, in _do_command
type=self.options.consumertype
File “/usr/lib64/python2.7/site-packages/rhsmlib/services/register.py”, line 91, in register
usage=usage
File “/usr/lib64/python2.7/site-packages/rhsm/connection.py”, line 1025, in registerConsumer
return self.conn.request_post(url, params)
File “/usr/lib64/python2.7/site-packages/rhsm/connection.py”, line 733, in request_post
return self._request(“POST”, method, params, headers=headers)
File “/usr/lib64/python2.7/site-packages/rhsm/connection.py”, line 756, in _request
info=info, headers=headers)
File “/usr/lib64/python2.7/site-packages/rhsm/connection.py”, line 631, in _request
self.validateResponse(result, request_type, handler)
File “/usr/lib64/python2.7/site-packages/rhsm/connection.py”, line 699, in validateResponse
handler=handler)
RemoteServerException: Server error attempting a POST to /rhsm/consumers?owner=IBD-COHI&activation_keys=IBD-COHI-RH7-P
ROD returned status 404

lstejskal · May 31, 2021, 7:50am

I would suggest to download katello-ca-consumer rpm & install subscription-manager from it. The instructions how to do it should be at Hosts > Content hosts > Register host (if I remember correctly)

Ricardo · May 31, 2021, 8:36am

if correct and installed the KAtello_CA_consummer package then I have executed the subscription command

Ricardo · May 31, 2021, 8:36am

Ricardo · May 31, 2021, 8:37am

Ricardo · May 31, 2021, 8:39am

When I try to validate also with this command, it asks me for a username and password, in this part I am not sure what credentials I should supply

subscription-manager register --org=“IBD-COHI” --environment=“Library”

Justin_Sherrill · June 1, 2021, 7:46pm

You would put in your username/password that you use to access foreman.

If that doesnt’ work either, it’d be curious to see a ‘tail’ of /var/log/foreman/production.log while you try to register.

And your rhsm.conf on the client should have the fqdn of the server, not the ip address. It likely will not work with the ip address.

Ricardo · June 3, 2021, 7:21am

oh my god thanks for your help, managed to register the server in the foreman …

Ricardo · June 3, 2021, 7:27am

One last question in the foreman repositories for Redhat 7 I need the update of the products to collect the information from the Redhat url to perform the aprcheos correctly just as for centos 7 I need the url similar to this for redhat http: // CentOS Mirror
Do you know where I can locate it or which mirror I can use?

Ricardo · June 3, 2021, 8:16am

another question when I try to attach to a poolid it gives me the following message This unit has already had the subscription matching pool ID “2c969b0d795bbd7701795bc8e59d0001” attached.
Entitlement Certificate (s) update failed due to the following reasons:
- unknown string format

And it does not show me the available repos to perform update dbo to create the repos by hand or should it automatically download these repos?