Red Hat Satellite Capsule upgrade fails with errors when refreshing its features

Solution Verified - Updated

Environment

  • Red Hat Satellite 6
  • Red Hat Satellite Capsule 6

Issue

  • Red Hat Capsule Minor Update or Major upgrade fails with the below error:

       /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[capsule.example.com]:    Failed to call refresh: Proxy capsule.example.com cannot be refreshed: unknown error (response 500)
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[capsule.example.com]: Proxy capsule.example.com cannot be refreshed: unknown error (response 500)

  • The satelllite-installer fails on the Red Hat Satellite server with the same error.

Resolution

  • Issue was resolved after enabling the remote execution feature with the satellite-installer on the capsule.

     # satellite-installer --scenario capsule --enable-foreman-proxy-plugin-remote-execution-ssh

  • If the issue is noticed on satellite server, check the permissions of /etc/foreman-proxy/ssl_ca.pem . If should ideally be:

    # ll /etc/foreman-proxy/ssl_ca.pem
  -rw-r--r--. 1 root root 8254 Dec 19 06:18 /etc/foreman-proxy/ssl_ca.pem

  • Check the /etc/foreman-installer/scenarios.d/capsule-answers.yaml and /etc/foreman-proxy/settings.yml having the Red Hat Satellite and External Capsule server entries.

  • If your Satellite server has an alternate CNAME then add Satellite's CNAME to trusted_hosts in /etc/foreman-installer/scenarios.d/capsule-answers.yaml on the External Capsule Server and re-run the installer satellite-installer -S capsule on the external capsule server, so the configuration file can have the latest information available. 

     :trusted_hosts:
  - satellite.example.com
  - capsule.example.com
  - satellite-alias.example.com

  • For more KB articles/solutions related to Red Hat Satellite 6.x Installation/Upgrade/Update Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Installation/Upgrade/Update Issues.

Root Cause

  • The issue occurred because remote execution was enabled on the Red Hat Capsule , but it was disabled in the capsule-answers.yaml file on the capsule creating a conflict.

  • If this error was noticed on satellite then due to incorrect permissions of /etc/foreman-proxy/ssl_ca.pem the foreman-proxy user (which runs the service) could not read it, in order to validate if the client certificates sent to it were signed by it or not.

Diagnostic Steps

  • /var/log/foreman-installer/capsule.log contains:

        [DEBUG 2020-04-16T17:02:51 main]  Foreman_smartproxy[capsule002.example.com](provider=rest_v3): Making get request to https://satellite.example.com/api/v2/smart_proxies?search=name=%22capsule002.example.com%22
[DEBUG 2020-04-16T17:02:51 main]  Foreman_smartproxy[capsule002.example.com](provider=rest_v3): Received response 200 from request to https://satellite.example.com/api/v2/smart_proxies?search=name=%22capsule002.example.com%22
[DEBUG 2020-04-16T17:02:51 main]  Foreman_smartproxy[capsule002.example.com](provider=rest_v3): Making put request to https://satellite.example.com/api/v2/smart_proxies/2/refresh
[DEBUG 2020-04-16T17:02:51 main]  Foreman_smartproxy[capsule002.example.com](provider=rest_v3): Received response 500 from request to https://satellite.example.com/api/v2/smart_proxies/2/refresh
[ERROR 2020-04-16T17:02:51 main]  Proxy capsule002.example.com cannot be refreshed: unknown error (response 500)
[ERROR 2020-04-16T17:02:51 main] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:53:in `refresh_features!'
[ERROR 2020-04-16T17:02:51 main] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:48:in `features='
[ERROR 2020-04-16T17:02:51 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/property.rb:195:in `call_provider'
..
[ERROR 2020-04-16T17:02:51 main] /opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
[ERROR 2020-04-16T17:02:51 main]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[capsule002.example.com]/features: change from ["Ansible", "BMC", "Dynflow", "Logs", "Openscap", "Pulp Node", "Puppet", "Puppet CA", "SSH", "TFTP", "Templates"] to ["Ansible", "BMC", "Dynflow", "HTTPBoot", "Logs", "Openscap", "Puppet", "Puppet CA", "TFTP", "Templates"] failed: Proxy capsule002.example.com cannot be refreshed: unknown error (response 500)
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.