[Satellite6] clients can't register to Satellite/Capsule despite having katello-ca-consumer-latest package installed

Solution Verified - Updated 2 Aug 2024

Environment

Red Hat Satellite 6.0 and 6.1

Issue

regenerating SSL certificates on Satellite or an external Capsule
a client host reinstalls katello-ca-consumer-latest package to get the SSL certificates update
but the client host fails to either register to the Satellite/Capsule, or goferd fails to connect to Satellite/Capsule port 5647
checking content of /var/www/html/pub directory in the Satellite/Capsule, katello-ca-consumer-latest symbolic link does not point to the newest RPM with highest rpm minor version
- e.g. despite having version 1.0-10 there, the *-latest symlink points to 1.0-9

Resolution

For permanent solution, upgrade to Satellite 6.2 (where the underlying This content is not included.bug is fixed) and forcefully generate new katello-ca-consumer RPM.

As a workaround for pre-Satellite6.2 release, one has to manually fix the symbolic link after every run of katello-installer or capsule-installer that is supposed to point it to an old RPM version:

cd /var/www/html/pub
rm -f katello-ca-consumer-latest.noarch.rpm
ln -s $(ls katello-ca-consumer-$(hostname -f)*noarch.rpm -tr | tail -n1) katello-ca-consumer-latest.noarch.rpm

Once the symbolic link is correct (by either way), reinstalls the package on every affected Content Host:

rpm -ev $(rpm -qa | grep katello-ca-consumer)
rpm -Uvh http://$(grep "^hostname = " /etc/rhsm/rhsm.conf | cut -d' ' -f3)/pub/katello-ca-consumer-latest.noarch.rpm

Root Cause

After generating new katello-ca-consumer package, katello-ca-consumer-latest.noarch.rpm symbolic link is (re)generated to point to this package version. The link is created to the target with the latest RPM version - per lexicographical ordering, and not per numeric ordering. That is wrong, causing package version 1.0-9 is considered as later/newer than 1.0-10.

Diagnostic Steps

client host fails to register to Satellite/Capsule, regardless having reinstalled the latest katello-ca-consumer package:

# rpm -e $(rpm -qa | grep katello-ca-consumer); rpm -Uvh http://capsule.example.com/pub/katello-ca-consumer-latest.noarch.rpm
Retrieving http://capsule.example.com/pub/katello-ca-consumer-latest.noarch.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:katello-ca-consumer-capsule-examp################################# [100%]
# subscription-manager register --org="Default_Organization" --environment="Library" --username=admin --password=AdminPassword --force
Unable to verify server's identity: certificate verify failed
#

/var/www/html/pub/katello-ca-consumer-latest.noarch.rpm points to /var/www/html/pub/katello-ca-consumer-capsule.example.com-1.0-9.noarch.rpm regardless there is newer katello-ca-consumer-capsule.example.com-1.0-10.noarch.rpm file there:

# ll /var/www/html/pubbak/
total 248
lrwxrwxrwx. 1 root root   91 Dec 15 09:35 katello-ca-consumer-latest.noarch.rpm -> /var/www/html/pub/katello-ca-consumer-capsule.example.com-1.0-9.noarch.rpm
-rw-r--r--. 1 root root 8583 Dec 15 09:35 katello-ca-consumer-capsule.example.com-1.0-10.noarch.rpm
-rw-r--r--. 1 root root 9055 Dec 15 09:35 katello-ca-consumer-capsule.example.com-1.0-10.src.rpm
-rw-r--r--. 1 root root 8575 Sep 10 12:15 katello-ca-consumer-capsule.example.com-1.0-1.noarch.rpm
-rw-r--r--. 1 root root 9063 Sep 10 12:15 katello-ca-consumer-capsule.example.com-1.0-1.src.rpm
-rw-r--r--. 1 root root 8575 Oct 17 22:36 katello-ca-consumer-capsule.example.com-1.0-2.noarch.rpm
-rw-r--r--. 1 root root 9058 Oct 17 22:36 katello-ca-consumer-capsule.example.com-1.0-2.src.rpm
-rw-r--r--. 1 root root 8575 Oct 17 22:54 katello-ca-consumer-capsule.example.com-1.0-3.noarch.rpm
-rw-r--r--. 1 root root 9057 Oct 17 22:54 katello-ca-consumer-capsule.example.com-1.0-3.src.rpm
-rw-r--r--. 1 root root 8575 Oct 17 23:17 katello-ca-consumer-capsule.example.com-1.0-4.noarch.rpm
-rw-r--r--. 1 root root 9064 Oct 17 23:17 katello-ca-consumer-capsule.example.com-1.0-4.src.rpm
-rw-r--r--. 1 root root 8575 Dec  6 13:18 katello-ca-consumer-capsule.example.com-1.0-5.noarch.rpm
-rw-r--r--. 1 root root 9063 Dec  6 13:18 katello-ca-consumer-capsule.example.com-1.0-5.src.rpm
-rw-r--r--. 1 root root 8587 Dec  6 13:42 katello-ca-consumer-capsule.example.com-1.0-6.noarch.rpm
-rw-r--r--. 1 root root 9082 Dec  6 13:42 katello-ca-consumer-capsule.example.com-1.0-6.src.rpm
-rw-r--r--. 1 root root 8587 Dec  6 13:45 katello-ca-consumer-capsule.example.com-1.0-7.noarch.rpm
-rw-r--r--. 1 root root 9080 Dec  6 13:45 katello-ca-consumer-capsule.example.com-1.0-7.src.rpm
-rw-r--r--. 1 root root 8575 Dec  6 14:05 katello-ca-consumer-capsule.example.com-1.0-8.noarch.rpm
-rw-r--r--. 1 root root 9056 Dec  6 14:05 katello-ca-consumer-capsule.example.com-1.0-8.src.rpm
-rw-r--r--. 1 root root 8575 Dec  6 14:37 katello-ca-consumer-capsule.example.com-1.0-9.noarch.rpm
-rw-r--r--. 1 root root 9068 Dec  6 14:37 katello-ca-consumer-capsule.example.com-1.0-9.src.rpm
-rw-r--r--. 1 root root 5567 Dec 15 09:35 katello-server-ca.crt
#

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

foreman

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.