RHEL 7 repositories not updating due to certificate issues

[oldphart1]

When I try to sync a channel I am getting the following message:

spacewalk-repo-sync -c rhel7_x86_64

2022-05-17 12:57:08,631 urlgrabber version = 4.1.0 2022-05-17 12:57:08,631 trans function "_" = <function _ at 0x7f9af1c67a60> 12:57:08 ====================================== 12:57:08 | Channel: rhel7_x86_64 12:57:08 ====================================== 12:57:08 Sync of channel started. Preparing custom SSL CAPATH at /var/cache/rhn/reposync/.ssl-certs/1 Retrieving repository 'rhel7_x86_64' metadata .................................................................................................................................................................................[error] 12:57:09 RepoMDError: Cannot access repository. Repository 'rhel7_x86_64' is invalid. [rhel7_x86_64|https://cdn.redhat.com/content/dist/rhel/rhui/server/7//x86_64/os?ssl_capath=/var/cache/rhn/reposync/.ssl-certs/1&ssl_clientcert=/var/cache/rhn/reposync/.ssl-certs/1/Entitlement-Cert-date.pem&ssl_clientkey=/var/cache/rhn/reposync/.ssl-certs/1/Entitlement-Key-date.pem] Valid metadata not found at specified URL History:

• [|] Error trying to read from 'https://cdn.redhat.com/content/dist/rhel/rhui/server/7//x86_64/os?ssl_capath=/var/cache/rhn/reposync/.ssl-certs/1&ssl_clientcert=/var/cache/rhn/reposync/.ssl-certs/1/Entitlement-Cert-date.pem&ssl_clientkey=/var/cache/rhn/reposync/.ssl-certs/1/Entitlement-Key-date.pem'
• Permission to access 'https://cdn.redhat.com/content/dist/rhel/rhui/server/7/x86_64/os/content?ssl_capath=/var/cache/rhn/reposync/.ssl-certs/1&ssl_clientcert=/var/cache/rhn/reposync/.ssl-certs/1/Entitlement-Cert-date.pem&ssl_clientkey=/var/cache/rhn/reposync/.ssl-certs/1/Entitlement-Key-date.pem' denied.

Please check if the URIs defined for this repository are pointing to a valid repository. Skipping repository 'rhel7_x86_64' because of the above error. Could not refresh the repositories because of errors.

The certificates and key are the ones that currently work for RedHat Update Infrastructure (RHUI) which is our way of patching our limited number of RHEL servers at the moment. Our entitlement doesn't expire until 2025 so there should be no issue.

RedHat support of course don't want to hear about non-RedHat products so they have been of very little help.

Anyone have a clue?

Thanks

Michael Lightfoot Delivery Engineer Sliced Tech

[wombelix]

I can only suggest to double check and maybe even replace the certificates again. Ran into similar issues in the past that an Entitlement that wasn't supposed to be expire soon just stopped working, had to copy the certs from a RHEL Client again, which then also had a newer change date, then it started working again.

[oldphart1]

Thanks for that suggestion.

I reimported the certificate and key from a RHEL 7 VM that had a cert and key under /etc/pki/entitlement (they had log strings of characters as their names). These were differently named than the ones I previously imported and were dated later.

I'm now getting the following error:

2022/05/18 09:06:27 +11:00 Command: ['/usr/bin/spacewalk-repo-sync', '--channel', 'rhel7_x86_64', '--type', 'yum', '--non-interactive'] 2022/05/18 09:06:27 +11:00 Sync of channel started. 2022/05/18 09:06:28 +11:00 RepoMDError: Cannot access repository. Repository 'rhel7_x86_64' is invalid. [rhel7_x86_64|https://cdn.redhat.com/content/dist/rhel/rhui/server/7//x86_64/os] Valid metadata not found at specified URL History:

• [|] Error trying to read from 'https://cdn.redhat.com/content/dist/rhel/rhui/server/7//x86_64/os'
• Download (curl) error for 'https://cdn.redhat.com/content/dist/rhel/rhui/server/7/x86_64/os/content': Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain

Please check if the URIs defined for this repository are pointing to a valid repository. Skipping repository 'rhel7_x86_64' because of the above error. Could not refresh the repositories because of errors.

Where am I going wrong?

Thanks

Michael Lightfoot Delivery Engineer Sliced Tech

[wombelix]

Error message: SSL certificate problem: self signed certificate in certificate chain

Sounds like you maybe missed to import the Red Hat CA Certificate? At the end you need three entries in Uyuni under GPG Public Keys and SSL Certificates and all of the linked to your Custom Repository:

Entitlement Certificate Entitlement Private Key Red Hat CA Certificate

Example from one of my Systems:

https://www.uyuni-project.org/uyuni-docs/en/uyuni/client-configuration/clients-rh-cdn.html https://www.uyuni-project.org/uyuni-docs/en/uyuni/client-configuration/clients-rh-rhui.html

[saquib-akhtar]

@wombelix The same problem I am facing since 2022.05 release till now. This is no more happening for RHEL repository as they require SSL Client Key &cert along with CA strictly & it works. But, for all open source repositories from https://download.opensuse.org/repositories/systemsmanagement:/Uyuni:/Stable:/ nothing works. It always throws Curl SSL 60 error. spacewalk:~ # spacewalk-repo-sync --channel oraclelinux7-uyuni-client-x86_64 --type yum --latest 23:27:53 ====================================== 23:27:53 | Channel: oraclelinux7-uyuni-client-x86_64 23:27:53 ====================================== 23:27:53 Sync of channel started. Retrieving repository 'oraclelinux7-uyuni-client-x86_64' metadata .........................................................[error] 23:27:55 RepoMDError: Cannot access repository. Repository 'oraclelinux7-uyuni-client-x86_64' is invalid. [oraclelinux7-uyuni-client-x86_64|https://download.opensuse.org/repositories/systemsmanagement:/Uyuni:/Stable:/CentOS7-Uyuni-Client-Tools/CentOS_7/?proxy=http%3A//185.46.212.88%3A443] Valid metadata not found at specified URL History:

• Download (curl) error for 'https://download.opensuse.org/repositories/systemsmanagement:/Uyuni:/Stable:/CentOS7-Uyuni-Client-Tools/CentOS_7/repodata/0377822d1e00a59bfdbe7a5fa7ba15223496e392f2432cc35d5432903b5a47aa-primary.xml.gz?proxy=http%3A//185.46.212.88%3A443': Error code: Curl error 60 Error message: SSL certificate problem: unable to get local issuer certificate
• Can't provide ./repodata/0377822d1e00a59bfdbe7a5fa7ba15223496e392f2432cc35d5432903b5a47aa-primary.xml.gz

Please check if the URIs defined for this repository are pointing to a valid repository. Skipping repository 'oraclelinux7-uyuni-client-x86_64' because of the above error. Could not refresh the repositories because of errors.

23:27:55 Total time: 0:00:01

[saquib-akhtar]

• allocate connect buffer!
• Establish HTTP proxy tunnel to mirrorcache-eu.opensuse.org:443
• Proxy replied 200 to CONNECT request
• CONNECT phase completed!

CONNECT mirrorcache-eu.opensuse.org:443 HTTP/1.1 Host: mirrorcache-eu.opensuse.org:443 User-Agent: urlgrabber/4.1.0 Proxy-Connection: Keep-Alive

• ALPN, offering h2
• ALPN, offering http/1.1
• SSL certificate problem: unable to get local issuer certificate
• Closing connection 5 < HTTP/1.1 200 Connection Established < Proxy-Agent: Zscaler/6.1 < 2022-08-20 00:14:00,883 header ended:
• Proxy replied 200 to CONNECT request
• CONNECT phase completed!
• ALPN, offering h2
• ALPN, offering http/1.1 00:14:00 ERROR: Download failed: https://download.opensuse.org/repositories/systemsmanagement:/Uyuni:/Stable:/CentOS7-Uyuni-Client-Tools/CentOS_7/noarch/spacecmd-4.3.14-2.1.uyuni.noarch.rpm - [Errno 14] HTTPS Error 302 - Found. 00:14:00 24/28 : spacecmd-4.3.14-2.1.uyuni.noarch.rpm (failed)
• SSL certificate problem: unable to get local issuer certificate
• Closing connection 5

[zaheerabbas1988]

Did someone manage to resolve that?