How and when does a Red Hat Satellite manifest certificate expire?

Solution Verified - Updated

Environment

  • Red Hat Satellite 6

Issue

  • Does Satellite 6 manifests expire?

  • When importing the manifest on Satellite server, the following warning message is displayed in the Satellite's UI:

    Your manifest will expire in 97 days. To extend the expiration date, refresh your manifest. Or, if your Satellite is disconnected, import a new manifest.

Resolution

  • Red Hat Satellite 6 manifest itself does not expire. What expires is the manifest's distributor certificate (also known as "Satellite's upstream consumer's identity certificate"), which is generated by hosted Candlepin and is independent of the entitlement certificates used to synchronize content. For more details, refer to the Root Cause section of this article.

  • A manifest refresh (as described in this solution article) will extend the expiry date of the manifest's distributor certificate on Red Hat Satellite 6.16 and later.

  • On Red Hat Satellite 6.15 and earlier, a manifest refresh will not extend the expiry date of the manifest's distributor certificate. This means that refreshing the manifest before its distributor certificate expires does not help as a preventive measure.

  • In order to be able sync repositories again (after the manifest expires):

    • For Satellite 6.15 and earlier, a new zip of the same manifest needs to be exported from the Red Hat Customer Portal and re-imported into the Red Hat Satellite server by applying this solution article. However, this has to be done within 90 days before the manifest's distributor certificate expires.

    • For Satellite 6.16 and later, a manifest refresh is required, regardless how many days there are till the manifest expires.

  • If the same manifest is re-imported into the Red Hat Satellite server more than 90 days before the manifest's distributor certificate expires, the issue persists.

For more KB articles/solutions related to Red Hat Satellite 6.x Manifest Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Manifest Issues

Root Cause

  • By default, the manifest's distributor certificate (or the "Satellite's upstream consumer's identity certificate") has a validity of 1 year, and when it expires, the manifest effectively expires.

  • If the manifest's distributor certificate (or the "Satellite's upstream consumer's identity certificate") expires, then:

    • Even if the subscriptions are valid in that manifest, Satellite will not be able to sync any repositories using that manifest.
    • There is no way to refresh the manifest, and hence refresh action has been grayed out.

  • The Satellite subscription and the subscriptions tied to the manifest have their own expiration dates.

  • Deleting the Satellite's system profile from the Red Hat Customer Portal account, and re-registering does not affect the expiry date of the Satellite's upstream consumer's identity certificate associated with the manifest. It stays the same.

  • The only action that could extend the expiry date of this certificate for an already imported manifest is replacing that certificate, which is done when you import a new zip of the same old manifest.

  • The following RFE has been raised to improve the user's experience with manifest expiration: This content is not included.SAT-11630 - [RFE] Notification when manifest is going to expire

SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.