Red Hat Satellite 6 fails to sync repositories with 403 forbidden errors.

Solution Verified - Updated

Environment

  • Red Hat Satellite 6

Issue

  • Red Hat Satellite 6 encounters 403 Forbidden errors when attempting to sync repositories from the Red Hat CDN servers.

  • The repository synchronization process fails, displaying the following error:

        Jul 16 08:53:21 satellite.example.com pulp_streamer[16008]: nectar.downloaders.threaded:INFO: Download failed: Download of https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/ose/3.11/os/Packages/o/openshift-ansible-playbooks-3.11.123-1.git.0.db681ba.el7.noarch.rpm failed with code 403: Forbidden

    Jul 16 08:53:21 satellite.example.com pulp_streamer[16008]: [-] 127.0.0.1 - - [16/Jul/2019:14:53:20 +0000] "GET /var/lib/pulp/content/units/rpm/bb/bc27c78c1ab1a9d2fe82496ed119ea2f0328fa17f35f6ba4e6c87acd032219/openshift-ansible-playbooks-3.11.123-1.git.0.db681ba.el7.noarch.rpm HTTP/1.1" 404 - "-" "urlgrabber/3.10 yum/3.4.3"

    Jul 16 08:53:23 satellite.example.com pulp_streamer[16008]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (4): cdn.redhat.com

    Jul 16 08:53:23 satellite.example.com pulp_streamer[16008]: nectar.downloaders.threaded:INFO: Download failed: Download of https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/ose/3.11/os/Packages/o/openshift-ansible-roles-3.11.123-1.git.0.db681ba.el7.noarch.rpm failed with code 403: Forbidden

Resolution

  • Ensure that if there is a proxy between Red Hat Satellite and the CDN, Red Hat Satellite 6 can successfully communicate with the CDN through the proxy without encountering any issues.

  • Utilize the following command to verify that communication from your Red Hat satellite server to CDN servers is correctly established via the proxy.

    # curl -v --proxy <proxy-ip:port> https://subscription.rhsm.redhat.com --cacert /etc/rhsm/ca/redhat-uep.pem
# curl -v --proxy <proxy-ip:port> https://cdn.redhat.com --cacert /etc/rhsm/ca/redhat-uep.pem

  • Ensure that the manifest contains the appropriate or necessary subscriptions.

  • Initiate the manifest refresh process by following these steps:

    • Navigate to the Red Hat Satellite WebUI: Content --> Subscriptions --> Manage Manifest --> Refresh Manifest.

  • Monitor the progress of the refresh manifest task:

    • Go to the Red Hat Satellite WebUI: Monitor --> Tasks.

  • Once the refresh manifest task is completed successfully, proceed to re-sync the repository.

  • If you continue to experience issues despite following each of the above steps, consider implementing the instructions provided in the article titled repository synchronization fails with Forbidden error after successful manifest refresh.

  • For more KB articles/solutions related to Red Hat Satellite 6.x Repository Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Repository Issues.

Root Cause

  • The 403 Forbidden errors occur due to expiring subscriptions or when required subscriptions are not present in the manifest.
  • To resolve this issue, the manifest refresh process is crucial as it updates these certificates and ensures that the required subscriptions are included, allowing the satellite service to successfully synchronize the repository content.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.