Error "CDN loading error: access forbidden" while enabling Satellite 6.17 repositories on Satellite Web UI even after manifest refresh

Solution Verified - Updated 16 May 2025

Environment

Red Hat Satellite 6.16

Issue

Trying to enable the Satellite 6.17 repositories in Satellite's Web UI and getting the following error even after refreshing the manifest:

The error shown on Satellite Web UI:
```
CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/layered/rhel9/x86_64/sat-maintenance/6.17/os/repodata/repomd.xml
```

Syncing the Satellite 6.17 repository returns the following error:

403, message='Forbidden',
url='https://cdn.redhat.com/content/dist/layered/rhel9/x86_64/satellite/6.17/os'

Resolution

Remove the Red Hat Satellite Infrastructure subscriptions you have attached to the manifest and add them back:
1. Navigate to Satellite Web UI > Content > Subscriptions.
2. Select the Red Hat Satellite Infrastructure Subscription and delete it.
3. Click the Add Subscriptions button and re-add the Red Hat Satellite Infrastructure Subscription.

For more KB articles/solutions related to Red Hat Satellite 6.x Repository Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Repository Issues.

Root Cause

The newly released version satellite 6.17 was not updated/reflected in the manifest even after manifest refresh. The issue is tracked in This content is not included.SAT-34066

Diagnostic Steps

The error shown in /var/log/foreman/production.log:

   Katello::Errors::SecurityViolation: CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/layered/rhel9/x86_64/sat-maintenance/6.17/os/repodata/repomd.xml

   Katello::Errors::SecurityViolation: CDN loading error: access forbidden to https://cdn.redhat.com:443/content/dist/layered/rhel9/x86_64/satellite/6.17/os/repodata/repomd.xml

Extract the manifest and check whether the certificates in the manifest provide access to required repository or not.

   # unzip manifest-xxx.zip
   # cd manifest-xxx
   # unzip consumer_export.zip
   # cd consumer_export/export/entitlement_certificates
   # wget --certificate 3972309415411480338.pem    https://cdn.redhat.com:443/content/dist/layered/rhel9/x86_64/satellite/6.17/os/repodata/repomd.xml --no-check-certificate
   HTTP ERROR response 403 Forbidden [https://cdn.redhat.com:443/content/dist/layered/rhel9/x86_64/satellite/6.17/os/repodata/repomd.xml]  <=== Error for satellite 6.17 repos

   # wget --certificate 2120119609365383010.pem https://cdn.redhat.com:443/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml --no-check-certificate
   HTTP response 200 OK [https://cdn.redhat.com:443/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml] <=== No errors for RHEL repos

SBR

SysMgmt

Product(s)

Red Hat Satellite

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.