 |
This worked for me: yum install subscription-manager-rhsm https://centos.pkgs.org/7/centos-x86_64/subscription-manager-rhsm-1.21.10-2.el7.centos.x86_64.rpm.html |
|
|
I think the issue description is somewhat unclear. The docker RPM installs /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt which is a symlink to /etc/rhsm/ca/redhat-uep.pem However, /etc/rhsm/ca/redhat-uep.pem does not exist on the system. According to `yum whatprovides`, /etc/rhsm/ca/redhat-uep.pem is part of the python-rhsm-certificates package. Trying to install python-rhsm-certificates fails because of the following error message: > Package python-rhsm-certificates-1.19.10-1.el7_4.x86_64 is obsoleted by subscription-manager-rhsm-certificates-1.21.10-3.el7.centos.x86_64 which is already installed However, `rpm -ql subscription-manager-rhsm-certificates` shows that _no_ certificates are installed: # rpm -ql subscription-manager-rhsm-certificates /etc/rhsm /etc/rhsm/ca So I guess the real bug is that subscription-manager-rhsm-certificates does not actually contain any certificates. |
|
|
I noted out a workaround for this issue in a different upstream repo - https://github.com/CentOS/sig-atomic-buildscripts/issues/329#issuecomment-440695888 The summary is that the spec file for `subscription-manager` is neutering the CA certs as part of the build process. But you can grab the necessary cert from the registry itself and stick it in the right place. ``` # docker pull registry.access.redhat.com/rhel7/openscap Using default tag: latest Trying to pull repository registry.access.redhat.com/rhel7/openscap ... open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory # openssl s_client -showcerts -servername registry.access.redhat.com -connect registry.access.redhat.com:443 </dev/null 2>/dev/null | openssl x509 -text > /etc/rhsm/ca/redhat-uep.pem # docker pull registry.access.redhat.com/rhel7/openscap Using default tag: latest Trying to pull repository registry.access.redhat.com/rhel7/openscap ... latest: Pulling from registry.access.redhat.com/rhel7/openscap 9a1bea865f79: Pull complete 602125c154e3: Pull complete 4f39a853bed4: Pull complete 20c68cea93f0: Pull complete Digest: sha256:aa5ddb23af242da108ee0cfe227a96ced06ad398e4c8bb201aa837ca2837e432 Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest ``` |
 |
confirmed: subscription-manager-rhsm-certificates which supersedes python-rhsm-certificates is missing the /etc/rhsm/ca/redhat-uep.pem file /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt provided by docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64 is also pointing to this missing file. ]$ rpm -qlv docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64|grep redhat drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/redhat.com lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/redhat.com/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/redhat.io lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/redhat.io/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/registry.access.redhat.com lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem |
|
|
This is still present in CentOS 8 stream. I was unable to register a developer subscription for initialising a RHEL mock chroot. `subscription-manager register` always failed with "Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)". The only way I could work around it was to install a RHEL 8 system and copy the following files from it to the CentOS host: /etc/rhsm/ca/redhat-entitlement-authority.pem /etc/rhsm/ca/redhat-uep.pem |
|
|
I've reported this bug for the CentOS 8 project as well: https://bugs.centos.org/view.php?id=17907 |
|
|
I have similar issues in our CI systems https://ci.centos.org/job/SCLo-container-container-common-scripts-test/235/console 13:32:29 make[1]: Leaving directory `/root/sources/tests/failures/check' 13:32:29 ./tests/squash/squash.sh 13:32:29 open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory 13:32:30 |
- Anonymous
