<div dir="ltr">Right, but rhsmcertd wasn't running...I'm now trying to turn off Auto-Attach and see if that might help.<div><br></div><div>Bob</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 1, 2020 at 10:59 AM Bryan Kearney <<a href="mailto:bkearney@redhat.com">bkearney@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">rhsmcertd is not doing the invalidation, it is pulling down the most up2date<br>
certificate. Any process you have would need to simulate that.<br>
<br>
-- bk<br>
<br>
On 5/28/20 4:18 PM, Gravel Bone wrote:<br>
> Also, I shut the service down and ensured it wasn't running and while the entitlement<br>
> file in /etc/pki/entitltements didn't change the syncs still failed with the<br>
> issue...so while yes, it rhsmcertd can be the culprit, there's something else on Red<br>
> Hat side maybe?<br>
> <br>
> On Thu, May 28, 2020 at 12:24 PM Myers, Mike <<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a><br>
> <mailto:<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a>>> wrote:<br>
> <br>
>     It’s 100% the rhsmcertd process that’s doing it.  From the man page:____<br>
> <br>
>     __ __<br>
> <br>
>            rhsmcertd - Periodically scans and updates the entitlement certificates on<br>
>     a registered system.____<br>
> <br>
>     __ __<br>
> <br>
>     What I’m unclear on is why the certs get changed by Red Hat so often when our<br>
>     entitlements certainly haven’t.  And more importantly, what, if anything, we can<br>
>     do to integrate that process more closely with Pulp.____<br>
> <br>
>     __ __<br>
> <br>
>     And to be clear, I’m not trying to call this out as a Pulp project problem or<br>
>     issue, just wondering if others who use the project have insights or solutions<br>
>     they’re willing to share.____<br>
> <br>
>     __ __<br>
> <br>
>     Cheers,____<br>
> <br>
>     *Mike Myers*____<br>
> <br>
>     __ __<br>
> <br>
>     __ __<br>
> <br>
>     *From: *Brian Bouterse <<a href="mailto:bmbouter@redhat.com" target="_blank">bmbouter@redhat.com</a> <mailto:<a href="mailto:bmbouter@redhat.com" target="_blank">bmbouter@redhat.com</a>>><br>
>     *Date: *Thursday, May 28, 2020 at 8:52 AM<br>
>     *To: *Gravel Bone <<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a> <mailto:<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a>>><br>
>     *Cc: *Mike Myers <<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a> <mailto:<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a>>>,<br>
>     "<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a> <mailto:<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a>>" <<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a><br>
>     <mailto:<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a>>><br>
>     *Subject: *Re: [Pulp-list] <External> Syncing Red hat Repos entitlement issue____<br>
> <br>
>     __ __<br>
> <br>
>     One idea to track down which process is editing those certs/files would be to use<br>
>     auditd or systemtap <a href="https://unix.stackexchange.com/a/99091" rel="noreferrer" target="_blank">https://unix.stackexchange.com/a/99091</a><br>
>     <<a href="https://urldefense.com/v3/__https:/unix.stackexchange.com/a/99091__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_Sjx08Ns$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https:/unix.stackexchange.com/a/99091__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_Sjx08Ns$</a>> <br>
>     Just a thought I wanted to share.____<br>
> <br>
>     __ __<br>
> <br>
>     On Thu, May 28, 2020 at 9:18 AM Gravel Bone <<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a><br>
>     <mailto:<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a>>> wrote:____<br>
> <br>
>         In this case the entitlement certs themselves aren't expired from a date<br>
>         perspective, they just no longer work connecting to Red Hat.    It's more<br>
>         like they've been revoked because the server they are on got new entitlement<br>
>         certs which is happening automatically, I just have not figured out how to<br>
>         prevent that.   I've tried turning of rhsmcertd, disabled subscription<br>
>         management, and combinations in between.____<br>
> <br>
>         __ __<br>
> <br>
>         On Wed, May 27, 2020 at 2:23 PM Brian Bouterse <<a href="mailto:bmbouter@redhat.com" target="_blank">bmbouter@redhat.com</a><br>
>         <mailto:<a href="mailto:bmbouter@redhat.com" target="_blank">bmbouter@redhat.com</a>>> wrote:____<br>
> <br>
>             If the certs are short-lived, then there isn't much to do except ask the<br>
>             issuer to give you longer ones. You could inspect the certs more closely<br>
>             I believe using the `rct cat-crt` command. Pulp-certguard has some docs<br>
>             showing an example with that tool<br>
>             <a href="https://pulp-certguard.readthedocs.io/en/latest/debugging.html#checking-authorized-urls-in-rhsm-certificates" rel="noreferrer" target="_blank">https://pulp-certguard.readthedocs.io/en/latest/debugging.html#checking-authorized-urls-in-rhsm-certificates</a><br>
>             <<a href="https://urldefense.com/v3/__https:/pulp-certguard.readthedocs.io/en/latest/debugging.html*checking-authorized-urls-in-rhsm-certificates__;Iw!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_MFyqH7A$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https:/pulp-certguard.readthedocs.io/en/latest/debugging.html*checking-authorized-urls-in-rhsm-certificates__;Iw!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_MFyqH7A$</a>>____<br>
> <br>
>             __ __<br>
> <br>
>             On Wed, May 27, 2020 at 11:20 AM Myers, Mike <<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a><br>
>             <mailto:<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a>>> wrote:____<br>
> <br>
>                 We’ve faced that too.  I’ve love some deeper insight, but what I’ve<br>
>                 found so far is that “rhsmcertd” process does some sort of<br>
>                 check/update on those certs.  We’ve just set a process to pull those<br>
>                 from /etc/pki/entitlement into Pulp when such a failure occurs.  It<br>
>                 would be nice if there were a Pulp native way to address this (short<br>
>                 of running the whole Satellite suite)____<br>
> <br>
>                  ____<br>
> <br>
>                 Cheers,____<br>
> <br>
>                 *Mike Myers*____<br>
> <br>
>                  ____<br>
> <br>
>                 *From: *<<a href="mailto:pulp-list-bounces@redhat.com" target="_blank">pulp-list-bounces@redhat.com</a><br>
>                 <mailto:<a href="mailto:pulp-list-bounces@redhat.com" target="_blank">pulp-list-bounces@redhat.com</a>>> on behalf of Gravel Bone<br>
>                 <<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a> <mailto:<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a>>><br>
>                 *Date: *Wednesday, May 27, 2020 at 5:48 AM<br>
>                 *To: *"<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a> <mailto:<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a>>"<br>
>                 <<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a> <mailto:<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a>>><br>
>                 *Subject: *<External>[Pulp-list] Syncing Red hat Repos entitlement<br>
>                 issue____<br>
> <br>
>                  ____<br>
> <br>
>                 This is probably something straight forward, but my searches have<br>
>                 found nothing...____<br>
> <br>
>                  ____<br>
> <br>
>                 I pull an entitlement files from our server (well three for three<br>
>                 different subscriptions) and create repos using them to sync the<br>
>                 corresponding Red Hat repository.    The problem is, the entitlements<br>
>                 seem to expire about every month.   I'm sure it's something I'm<br>
>                 missing that stupid obvious, but google has not been my friend nor<br>
>                 has the documentation...help would be appreciated...____<br>
> <br>
>                 _______________________________________________<br>
>                 Pulp-list mailing list<br>
>                 <a href="mailto:Pulp-list@redhat.com" target="_blank">Pulp-list@redhat.com</a> <mailto:<a href="mailto:Pulp-list@redhat.com" target="_blank">Pulp-list@redhat.com</a>><br>
>                 <a href="https://www.redhat.com/mailman/listinfo/pulp-list" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pulp-list</a><br>
>                 <<a href="https://urldefense.com/v3/__https:/www.redhat.com/mailman/listinfo/pulp-list__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_ppGV4nQ$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https:/www.redhat.com/mailman/listinfo/pulp-list__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_ppGV4nQ$</a>>____<br>
> <br>
> <br>
> _______________________________________________<br>
> Pulp-list mailing list<br>
> <a href="mailto:Pulp-list@redhat.com" target="_blank">Pulp-list@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/pulp-list" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pulp-list</a><br>
> <br>
<br>
<br>
</blockquote></div>