<div dir="ltr">That didn't work either:<div><br></div><div>* rhsmcertd is not running, disabled<br>* rhnsd is running<br>* rhsmd is running</div><div>* Server is configured with auto-attach off in Red Hat Portal</div><div><br></div><div>The key worked for a couple of days, and then getting the "Error retrieving metadata: Forbidden" error again. Unless there is another issue and updating the entitlement just happens to clear that issue, I've been presuming it was an entitlement issue.<br><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 2, 2020 at 2:44 PM Gravel Bone <<a href="mailto:gravelbone@gmail.com">gravelbone@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Right, but rhsmcertd wasn't running...I'm now trying to turn off Auto-Attach and see if that might help.<div><br></div><div>Bob</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 1, 2020 at 10:59 AM Bryan Kearney <<a href="mailto:bkearney@redhat.com" target="_blank">bkearney@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">rhsmcertd is not doing the invalidation, it is pulling down the most up2date<br>
certificate. Any process you have would need to simulate that.<br>
<br>
-- bk<br>
<br>
On 5/28/20 4:18 PM, Gravel Bone wrote:<br>
> Also, I shut the service down and ensured it wasn't running and while the entitlement<br>
> file in /etc/pki/entitltements didn't change the syncs still failed with the<br>
> issue...so while yes, it rhsmcertd can be the culprit, there's something else on Red<br>
> Hat side maybe?<br>
> <br>
> On Thu, May 28, 2020 at 12:24 PM Myers, Mike <<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a><br>
> <mailto:<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a>>> wrote:<br>
> <br>
> It’s 100% the rhsmcertd process that’s doing it. From the man page:____<br>
> <br>
> __ __<br>
> <br>
> rhsmcertd - Periodically scans and updates the entitlement certificates on<br>
> a registered system.____<br>
> <br>
> __ __<br>
> <br>
> What I’m unclear on is why the certs get changed by Red Hat so often when our<br>
> entitlements certainly haven’t. And more importantly, what, if anything, we can<br>
> do to integrate that process more closely with Pulp.____<br>
> <br>
> __ __<br>
> <br>
> And to be clear, I’m not trying to call this out as a Pulp project problem or<br>
> issue, just wondering if others who use the project have insights or solutions<br>
> they’re willing to share.____<br>
> <br>
> __ __<br>
> <br>
> Cheers,____<br>
> <br>
> *Mike Myers*____<br>
> <br>
> __ __<br>
> <br>
> __ __<br>
> <br>
> *From: *Brian Bouterse <<a href="mailto:bmbouter@redhat.com" target="_blank">bmbouter@redhat.com</a> <mailto:<a href="mailto:bmbouter@redhat.com" target="_blank">bmbouter@redhat.com</a>>><br>
> *Date: *Thursday, May 28, 2020 at 8:52 AM<br>
> *To: *Gravel Bone <<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a> <mailto:<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a>>><br>
> *Cc: *Mike Myers <<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a> <mailto:<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a>>>,<br>
> "<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a> <mailto:<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a>>" <<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a><br>
> <mailto:<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a>>><br>
> *Subject: *Re: [Pulp-list] <External> Syncing Red hat Repos entitlement issue____<br>
> <br>
> __ __<br>
> <br>
> One idea to track down which process is editing those certs/files would be to use<br>
> auditd or systemtap <a href="https://unix.stackexchange.com/a/99091" rel="noreferrer" target="_blank">https://unix.stackexchange.com/a/99091</a><br>
> <<a href="https://urldefense.com/v3/__https:/unix.stackexchange.com/a/99091__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_Sjx08Ns$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https:/unix.stackexchange.com/a/99091__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_Sjx08Ns$</a>> <br>
> Just a thought I wanted to share.____<br>
> <br>
> __ __<br>
> <br>
> On Thu, May 28, 2020 at 9:18 AM Gravel Bone <<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a><br>
> <mailto:<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a>>> wrote:____<br>
> <br>
> In this case the entitlement certs themselves aren't expired from a date<br>
> perspective, they just no longer work connecting to Red Hat. It's more<br>
> like they've been revoked because the server they are on got new entitlement<br>
> certs which is happening automatically, I just have not figured out how to<br>
> prevent that. I've tried turning of rhsmcertd, disabled subscription<br>
> management, and combinations in between.____<br>
> <br>
> __ __<br>
> <br>
> On Wed, May 27, 2020 at 2:23 PM Brian Bouterse <<a href="mailto:bmbouter@redhat.com" target="_blank">bmbouter@redhat.com</a><br>
> <mailto:<a href="mailto:bmbouter@redhat.com" target="_blank">bmbouter@redhat.com</a>>> wrote:____<br>
> <br>
> If the certs are short-lived, then there isn't much to do except ask the<br>
> issuer to give you longer ones. You could inspect the certs more closely<br>
> I believe using the `rct cat-crt` command. Pulp-certguard has some docs<br>
> showing an example with that tool<br>
> <a href="https://pulp-certguard.readthedocs.io/en/latest/debugging.html#checking-authorized-urls-in-rhsm-certificates" rel="noreferrer" target="_blank">https://pulp-certguard.readthedocs.io/en/latest/debugging.html#checking-authorized-urls-in-rhsm-certificates</a><br>
> <<a href="https://urldefense.com/v3/__https:/pulp-certguard.readthedocs.io/en/latest/debugging.html*checking-authorized-urls-in-rhsm-certificates__;Iw!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_MFyqH7A$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https:/pulp-certguard.readthedocs.io/en/latest/debugging.html*checking-authorized-urls-in-rhsm-certificates__;Iw!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_MFyqH7A$</a>>____<br>
> <br>
> __ __<br>
> <br>
> On Wed, May 27, 2020 at 11:20 AM Myers, Mike <<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a><br>
> <mailto:<a href="mailto:Mike.Myers@nike.com" target="_blank">Mike.Myers@nike.com</a>>> wrote:____<br>
> <br>
> We’ve faced that too. I’ve love some deeper insight, but what I’ve<br>
> found so far is that “rhsmcertd” process does some sort of<br>
> check/update on those certs. We’ve just set a process to pull those<br>
> from /etc/pki/entitlement into Pulp when such a failure occurs. It<br>
> would be nice if there were a Pulp native way to address this (short<br>
> of running the whole Satellite suite)____<br>
> <br>
> ____<br>
> <br>
> Cheers,____<br>
> <br>
> *Mike Myers*____<br>
> <br>
> ____<br>
> <br>
> *From: *<<a href="mailto:pulp-list-bounces@redhat.com" target="_blank">pulp-list-bounces@redhat.com</a><br>
> <mailto:<a href="mailto:pulp-list-bounces@redhat.com" target="_blank">pulp-list-bounces@redhat.com</a>>> on behalf of Gravel Bone<br>
> <<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a> <mailto:<a href="mailto:gravelbone@gmail.com" target="_blank">gravelbone@gmail.com</a>>><br>
> *Date: *Wednesday, May 27, 2020 at 5:48 AM<br>
> *To: *"<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a> <mailto:<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a>>"<br>
> <<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a> <mailto:<a href="mailto:pulp-list@redhat.com" target="_blank">pulp-list@redhat.com</a>>><br>
> *Subject: *<External>[Pulp-list] Syncing Red hat Repos entitlement<br>
> issue____<br>
> <br>
> ____<br>
> <br>
> This is probably something straight forward, but my searches have<br>
> found nothing...____<br>
> <br>
> ____<br>
> <br>
> I pull an entitlement files from our server (well three for three<br>
> different subscriptions) and create repos using them to sync the<br>
> corresponding Red Hat repository. The problem is, the entitlements<br>
> seem to expire about every month. I'm sure it's something I'm<br>
> missing that stupid obvious, but google has not been my friend nor<br>
> has the documentation...help would be appreciated...____<br>
> <br>
> _______________________________________________<br>
> Pulp-list mailing list<br>
> <a href="mailto:Pulp-list@redhat.com" target="_blank">Pulp-list@redhat.com</a> <mailto:<a href="mailto:Pulp-list@redhat.com" target="_blank">Pulp-list@redhat.com</a>><br>
> <a href="https://www.redhat.com/mailman/listinfo/pulp-list" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pulp-list</a><br>
> <<a href="https://urldefense.com/v3/__https:/www.redhat.com/mailman/listinfo/pulp-list__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_ppGV4nQ$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https:/www.redhat.com/mailman/listinfo/pulp-list__;!!KLCbKzk!3-4lUfRz-2wFNgovtknDNZUEiyn20AZ72aaznXiV_QGBFFfkIRrb454_ppGV4nQ$</a>>____<br>
> <br>
> <br>
> _______________________________________________<br>
> Pulp-list mailing list<br>
> <a href="mailto:Pulp-list@redhat.com" target="_blank">Pulp-list@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/pulp-list" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pulp-list</a><br>
> <br>
<br>
<br>
</blockquote></div>
</blockquote></div>