How to use builds with Red Hat Satellite subscriptions and which certificate to use

Solution Verified - Updated 13 Jun 2024

Environment

OpenShift Container Platform 4.6+
Disconnected Environment

Issue

Unable to determine which Red Hat satellite certificate to use for the builds provided in OpenShift documentation

Resolution

Please use debug certificate from Satellite instead of using the usual certificates as described in this Content from github.com is not included.url - howto-change-container-yum-source
To generate a debug certificate in Satellite , go to 'Manage Organizations' and 'Edit' the organization that you're looking for. Click on 'Primary' and you should see the 'Generate and Download' button.
Use the generated certificate in your build-config and docker files as described in OpenShift documentation

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

Root Cause

The usual Satellite certificates do not have access to all the repositories in Satellite.

Diagnostic Steps

You can use rct tool in satellite to determine whether the certificate has access to the repos. For more about rct refer this KCS
# rct cat-cert /path_to_cert/entitlement.pem
The cert shows that it does not have the repos Enabled.

Content:
	Type: yum
	Name: Red Hat Ansible Engine 2 RPMs for Red Hat Enterprise Linux 7 Server
	Label: rhel-7-server-ansible-2-rpms
	Vendor: Red Hat
	URL: /RedHat/DEV/RHEL7_QUARTERLY/content/dist/rhel/server/7/7Server/$basearch/ansible/2/os
	GPG: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
	Enabled: False
	Expires: 1
	Required Tags: rhel-7-server
	Arches: x86_64

Content:
	Type: yum
	Name: Red Hat Ansible Engine 2.8 RPMs for Red Hat Enterprise Linux 7 Server
	Label: rhel-7-server-ansible-2.8-rpms
	Vendor: Red Hat
	URL: /RedHat/DEV/RHEL7_QUARTERLY/content/dist/rhel/server/7/7Server/$basearch/ansible/2.8/os
	GPG: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
	Enabled: False
	Expires: 1
	Required Tags: rhel-7-server
	Arches: x86_64

Using the usual certs from Satellite results in build failures for example :

Loaded plugins: ovl, product-id, search-disabled-repos
https://example.satellite.com/RedHat/content/dist/rhel/server/7/7Server/x86_64/dotnet/1/os/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Components

builds

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.