[Satellite6] repository synchronization fails with Forbidden error after successfull manifest refresh

Solution Unverified - Updated 14 Jun 2024

Environment

Red Hat Satellite 6.3 - 6.9

Issue

(successfully) refreshing or importing manifest that replaces some (to be) expired certificates
synchronizing some repositories from CDN fails with Forbidden error
checking client certificate used for the repository via this solution shows invalid or expired certificate is used

In summary, while candlepin certificates seem to be properly updated by the manifest import/refresh, pulp certificates are not.

How to refresh pulp certificates per candlepin ones?

Resolution

Run below script to invoke Actions::Pulp::Repository::UpdateImporter tasks for all repositories in Library Lifecycle Environment:

foreman-rake katello:refresh_pulp_repo_details LIFECYCLE_ENVIRONMENT=Library

Root Cause

Due to an unknown reason, manifest import or refresh managed certificates authorizing Satellite to connect to cdn.redhat.com such that:

the certificates are properly updated in candlepin DB
but they are not updated in pulp DB

The rake script will refresh pulp certificates according to candlepin ones.

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

katello
pulp

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.