View Issue Details

IDProjectCategoryView StatusLast Update
0014785CentOS-7ca-certificatespublic2019-05-10 21:12
Status newResolutionopen 
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0014785: Missing Red Hat Certificates
DescriptionThe installation of subscription-manager package is not installing the `redhat-uep.pem` which is usually part of the `pytho-rhsm-certificates`. As a result the docker pull from fails with error message `unable to find certificate /etc/docker/certs.d/`.
Steps To Reproduce1. docker pull
Additional InformationI have to then do the following steps to make it working,

$ sudo -i && cd /tmp $ wget
$ rpm2cpio python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm | cpio -iv --to-stdout ./etc/rhsm/ca/redhat-uep.pem | tee /etc/rhsm/ca/redhat-uep.pem

In order to add the certificates manually and then running the "docker pull"

I was also not able to install python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm as yum install says it s obseleted by subscription-manager package.
TagsNo tags attached.




2018-12-14 05:14

reporter   ~0033334

This worked for me:

yum install subscription-manager-rhsm


2019-01-03 08:47

reporter   ~0033500

I think the issue description is somewhat unclear.

The docker RPM installs /etc/docker/certs.d/ which is a symlink to /etc/rhsm/ca/redhat-uep.pem

However, /etc/rhsm/ca/redhat-uep.pem does not exist on the system. According to `yum whatprovides`, /etc/rhsm/ca/redhat-uep.pem is part of the python-rhsm-certificates package.

Trying to install python-rhsm-certificates fails because of the following error message:

> Package python-rhsm-certificates-1.19.10-1.el7_4.x86_64 is obsoleted by subscription-manager-rhsm-certificates-1.21.10-3.el7.centos.x86_64 which is already installed

However, `rpm -ql subscription-manager-rhsm-certificates` shows that _no_ certificates are installed:

# rpm -ql subscription-manager-rhsm-certificates

So I guess the real bug is that subscription-manager-rhsm-certificates does not actually contain any certificates.


2019-01-03 15:04

reporter   ~0033505

I noted out a workaround for this issue in a different upstream repo -

The summary is that the spec file for `subscription-manager` is neutering the CA certs as part of the build process. But you can grab the necessary cert from the registry itself and stick it in the right place.

# docker pull
Using default tag: latest
Trying to pull repository ...
open /etc/docker/certs.d/ no such file or directory

# openssl s_client -showcerts -servername -connect </dev/null 2>/dev/null | openssl x509 -text > /etc/rhsm/ca/redhat-uep.pem

# docker pull
Using default tag: latest
Trying to pull repository ...
latest: Pulling from
9a1bea865f79: Pull complete
602125c154e3: Pull complete
4f39a853bed4: Pull complete
20c68cea93f0: Pull complete
Digest: sha256:aa5ddb23af242da108ee0cfe227a96ced06ad398e4c8bb201aa837ca2837e432
Status: Downloaded newer image for


2019-05-10 21:12

administrator   ~0034443

confirmed: subscription-manager-rhsm-certificates which supersedes python-rhsm-certificates is missing the /etc/rhsm/ca/redhat-uep.pem file

/etc/docker/certs.d/ provided by docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64 is also pointing to this missing file.
]$ rpm -qlv docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64|grep redhat
drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/
lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/ -> /etc/rhsm/ca/redhat-uep.pem
drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/
lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/ -> /etc/rhsm/ca/redhat-uep.pem
drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/
lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/ -> /etc/rhsm/ca/redhat-uep.pem

Issue History

Date Modified Username Field Change
2018-05-14 02:21 kameshsampath New Issue
2018-12-14 05:14 joseph.attard Note Added: 0033334
2019-01-03 08:47 mhutter Note Added: 0033500
2019-01-03 15:04 miabbott Note Added: 0033505
2019-05-10 21:12 tru Note Added: 0034443