View Issue Details

IDProjectCategoryView StatusLast Update
0014785CentOS-7ca-certificatespublic2019-05-10 21:12
Reporterkameshsampath 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0014785: Missing Red Hat Certificates
DescriptionThe installation of subscription-manager package is not installing the `redhat-uep.pem` which is usually part of the `pytho-rhsm-certificates`. As a result the docker pull from registry.redhat.com fails with error message `unable to find certificate /etc/docker/certs.d/registry.redhat.com/redhat-ca.crt`.
Steps To Reproduce1. docker pull registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift
Additional InformationI have to then do the following steps to make it working,

$ sudo -i && cd /tmp $ wget http://mirror.centos.org/centos/7/os/x86_64/Packages/python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm
$ rpm2cpio python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm | cpio -iv --to-stdout ./etc/rhsm/ca/redhat-uep.pem | tee /etc/rhsm/ca/redhat-uep.pem

In order to add the certificates manually and then running the "docker pull registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift"

I was also not able to install python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm as yum install says it s obseleted by subscription-manager package.
TagsNo tags attached.
abrt_hash
URL

Activities

joseph.attard

joseph.attard

2018-12-14 05:14

reporter   ~0033334

This worked for me:

yum install subscription-manager-rhsm

https://centos.pkgs.org/7/centos-x86_64/subscription-manager-rhsm-1.21.10-2.el7.centos.x86_64.rpm.html
mhutter

mhutter

2019-01-03 08:47

reporter   ~0033500

I think the issue description is somewhat unclear.

The docker RPM installs /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt which is a symlink to /etc/rhsm/ca/redhat-uep.pem

However, /etc/rhsm/ca/redhat-uep.pem does not exist on the system. According to `yum whatprovides`, /etc/rhsm/ca/redhat-uep.pem is part of the python-rhsm-certificates package.


Trying to install python-rhsm-certificates fails because of the following error message:

> Package python-rhsm-certificates-1.19.10-1.el7_4.x86_64 is obsoleted by subscription-manager-rhsm-certificates-1.21.10-3.el7.centos.x86_64 which is already installed

However, `rpm -ql subscription-manager-rhsm-certificates` shows that _no_ certificates are installed:

# rpm -ql subscription-manager-rhsm-certificates
/etc/rhsm
/etc/rhsm/ca

So I guess the real bug is that subscription-manager-rhsm-certificates does not actually contain any certificates.
miabbott

miabbott

2019-01-03 15:04

reporter   ~0033505

I noted out a workaround for this issue in a different upstream repo - https://github.com/CentOS/sig-atomic-buildscripts/issues/329#issuecomment-440695888

The summary is that the spec file for `subscription-manager` is neutering the CA certs as part of the build process. But you can grab the necessary cert from the registry itself and stick it in the right place.

```
# docker pull registry.access.redhat.com/rhel7/openscap
Using default tag: latest
Trying to pull repository registry.access.redhat.com/rhel7/openscap ...
open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory

# openssl s_client -showcerts -servername registry.access.redhat.com -connect registry.access.redhat.com:443 </dev/null 2>/dev/null | openssl x509 -text > /etc/rhsm/ca/redhat-uep.pem

# docker pull registry.access.redhat.com/rhel7/openscap
Using default tag: latest
Trying to pull repository registry.access.redhat.com/rhel7/openscap ...
latest: Pulling from registry.access.redhat.com/rhel7/openscap
9a1bea865f79: Pull complete
602125c154e3: Pull complete
4f39a853bed4: Pull complete
20c68cea93f0: Pull complete
Digest: sha256:aa5ddb23af242da108ee0cfe227a96ced06ad398e4c8bb201aa837ca2837e432
Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest
```
tru

tru

2019-05-10 21:12

administrator   ~0034443

confirmed: subscription-manager-rhsm-certificates which supersedes python-rhsm-certificates is missing the /etc/rhsm/ca/redhat-uep.pem file


/etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt provided by docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64 is also pointing to this missing file.
]$ rpm -qlv docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64|grep redhat
drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/redhat.com
lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/redhat.com/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem
drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/redhat.io
lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/redhat.io/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem
drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/registry.access.redhat.com
lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

Issue History

Date Modified Username Field Change
2018-05-14 02:21 kameshsampath New Issue
2018-12-14 05:14 joseph.attard Note Added: 0033334
2019-01-03 08:47 mhutter Note Added: 0033500
2019-01-03 15:04 miabbott Note Added: 0033505
2019-05-10 21:12 tru Note Added: 0034443