<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style></style> </head> <body lang="EN-US" link="blue" vlink="purple"> <div class="WordSection1"> <p class="MsoNormal">It’s 100% the rhsmcertd process that’s doing it. From the man page:<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"> rhsmcertd - Periodically scans and updates the entitlement certificates on a registered system.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">What I’m unclear on is why the certs get changed by Red Hat so often when our entitlements certainly haven’t. And more importantly, what, if anything, we can do to integrate that process more closely with Pulp.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">And to be clear, I’m not trying to call this out as a Pulp project problem or issue, just wondering if others who use the project have insights or solutions they’re willing to share.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Cheers,<span style="color:black"><o:p></o:p></span></p> <p class="MsoNormal"><b><span style="color:black">Mike Myers</span></b><span style="color:black"><o:p></o:p></span></p> <p class="MsoNormal"><span style="color:#7F7F7F"><o:p> </o:p></span></p> <p class="MsoNormal"><o:p> </o:p></p> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Brian Bouterse <bmbouter@redhat.com><br> <b>Date: </b>Thursday, May 28, 2020 at 8:52 AM<br> <b>To: </b>Gravel Bone <gravelbone@gmail.com><br> <b>Cc: </b>Mike Myers <Mike.Myers@nike.com>, "pulp-list@redhat.com" <pulp-list@redhat.com><br> <b>Subject: </b>Re: [Pulp-list] <External> Syncing Red hat Repos entitlement issue<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">One idea to track down which process is editing those certs/files would be to use auditd or systemtap <a href="https://urldefense.com/v3/__https:/unix.stackexchange.com/a/99091__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_Sjx08Ns$"> https://unix.stackexchange.com/a/99091</a> Just a thought I wanted to share.<o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <div> <p class="MsoNormal">On Thu, May 28, 2020 at 9:18 AM Gravel Bone <<a href="mailto:gravelbone@gmail.com">gravelbone@gmail.com</a>> wrote:<o:p></o:p></p> </div> <blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"> <div> <p class="MsoNormal">In this case the entitlement certs themselves aren't expired from a date perspective, they just no longer work connecting to Red Hat. It's more like they've been revoked because the server they are on got new entitlement certs which is happening automatically, I just have not figured out how to prevent that. I've tried turning of rhsmcertd, disabled subscription management, and combinations in between.<o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <div> <p class="MsoNormal">On Wed, May 27, 2020 at 2:23 PM Brian Bouterse <<a href="mailto:bmbouter@redhat.com" target="_blank">bmbouter@redhat.com</a>> wrote:<o:p></o:p></p> </div> <blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"> <div> <div> <p class="MsoNormal">If the certs are short-lived, then there isn't much to do except ask the issuer to give you longer ones. You could inspect the certs more closely I believe using the `rct cat-crt` command. Pulp-certguard has some docs showing an example with that tool <a href="https://urldefense.com/v3/__https:/pulp-certguard.readthedocs.io/en/latest/debugging.html*checking-authorized-urls-in-rhsm-certificates__;Iw!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_MFyqH7A$" target="_blank"> https://pulp-certguard.readthedocs.io/en/latest/debugging.html#checking-authorized-urls-in-rhsm-certificates</a><o:p></o:p></p> </div> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <div> <p class="MsoNormal">On Wed, May 27, 2020 at 11:20 AM Myers, Mike <<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a>> wrote:<o:p></o:p></p> </div> <blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"> <div> <div> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">We’ve faced that too. I’ve love some deeper insight, but what I’ve found so far is that “rhsmcertd” process does some sort of check/update on those certs. We’ve just set a process to pull those from /etc/pki/entitlement into Pulp when such a failure occurs. It would be nice if there were a Pulp native way to address this (short of running the whole Satellite suite)<o:p></o:p></p> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <div> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Cheers,<o:p></o:p></p> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:black">Mike Myers</span></b><o:p></o:p></p> </div> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;border-color:currentcolor currentcolor"> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black"><<a href="mailto:pulp-list-bounces@redhat.com" target="_blank">pulp-list-bounces@redhat.com</a>> on behalf of Gravel Bone <<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a>><br> <b>Date: </b>Wednesday, May 27, 2020 at 5:48 AM<br> <b>To: </b>"<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a>" <<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a>><br> <b>Subject: </b><External>[Pulp-list] Syncing Red hat Repos entitlement issue</span><o:p></o:p></p> </div> <div> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> </div> <div> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This is probably something straight forward, but my searches have found nothing...<o:p></o:p></p> <div> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> </div> <div> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I pull an entitlement files from our server (well three for three different subscriptions) and create repos using them to sync the corresponding Red Hat repository. The problem is, the entitlements seem to expire about every month. I'm sure it's something I'm missing that stupid obvious, but google has not been my friend nor has the documentation...help would be appreciated...<o:p></o:p></p> </div> </div> </div> </div> <p class="MsoNormal">_______________________________________________<br> Pulp-list mailing list<br> <a href="mailto:Pulp-list@redhat.com" target="_blank">Pulp-list@redhat.com</a><br> <a href="https://urldefense.com/v3/__https:/www.redhat.com/mailman/listinfo/pulp-list__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_ppGV4nQ$" target="_blank">https://www.redhat.com/mailman/listinfo/pulp-list</a><o:p></o:p></p> </blockquote> </div> </blockquote> </div> </blockquote> </div> </div> </body> </html>