View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014785 | CentOS-7 | ca-certificates | public | 2018-05-14 02:21 | 2021-06-10 11:48 |
Reporter | kameshsampath | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | confirmed | Resolution | open | ||
Product Version | 7.5.1804 | ||||
Summary | 0014785: Missing Red Hat Certificates | ||||
Description | The installation of subscription-manager package is not installing the `redhat-uep.pem` which is usually part of the `pytho-rhsm-certificates`. As a result the docker pull from registry.redhat.com fails with error message `unable to find certificate /etc/docker/certs.d/registry.redhat.com/redhat-ca.crt`. | ||||
Steps To Reproduce | 1. docker pull registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift | ||||
Additional Information | I have to then do the following steps to make it working, $ sudo -i && cd /tmp $ wget http://mirror.centos.org/centos/7/os/x86_64/Packages/python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm $ rpm2cpio python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm | cpio -iv --to-stdout ./etc/rhsm/ca/redhat-uep.pem | tee /etc/rhsm/ca/redhat-uep.pem In order to add the certificates manually and then running the "docker pull registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift" I was also not able to install python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm as yum install says it s obseleted by subscription-manager package. | ||||
Tags | No tags attached. | ||||
abrt_hash | |||||
URL | |||||
related to | 0017907 | new | CentOS-8 | Missing Red Hat Certificates |
This worked for me: yum install subscription-manager-rhsm https://centos.pkgs.org/7/centos-x86_64/subscription-manager-rhsm-1.21.10-2.el7.centos.x86_64.rpm.html |
|
I think the issue description is somewhat unclear. The docker RPM installs /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt which is a symlink to /etc/rhsm/ca/redhat-uep.pem However, /etc/rhsm/ca/redhat-uep.pem does not exist on the system. According to `yum whatprovides`, /etc/rhsm/ca/redhat-uep.pem is part of the python-rhsm-certificates package. Trying to install python-rhsm-certificates fails because of the following error message: > Package python-rhsm-certificates-1.19.10-1.el7_4.x86_64 is obsoleted by subscription-manager-rhsm-certificates-1.21.10-3.el7.centos.x86_64 which is already installed However, `rpm -ql subscription-manager-rhsm-certificates` shows that _no_ certificates are installed: # rpm -ql subscription-manager-rhsm-certificates /etc/rhsm /etc/rhsm/ca So I guess the real bug is that subscription-manager-rhsm-certificates does not actually contain any certificates. |
|
I noted out a workaround for this issue in a different upstream repo - https://github.com/CentOS/sig-atomic-buildscripts/issues/329#issuecomment-440695888 The summary is that the spec file for `subscription-manager` is neutering the CA certs as part of the build process. But you can grab the necessary cert from the registry itself and stick it in the right place. ``` # docker pull registry.access.redhat.com/rhel7/openscap Using default tag: latest Trying to pull repository registry.access.redhat.com/rhel7/openscap ... open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory # openssl s_client -showcerts -servername registry.access.redhat.com -connect registry.access.redhat.com:443 </dev/null 2>/dev/null | openssl x509 -text > /etc/rhsm/ca/redhat-uep.pem # docker pull registry.access.redhat.com/rhel7/openscap Using default tag: latest Trying to pull repository registry.access.redhat.com/rhel7/openscap ... latest: Pulling from registry.access.redhat.com/rhel7/openscap 9a1bea865f79: Pull complete 602125c154e3: Pull complete 4f39a853bed4: Pull complete 20c68cea93f0: Pull complete Digest: sha256:aa5ddb23af242da108ee0cfe227a96ced06ad398e4c8bb201aa837ca2837e432 Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest ``` |
|
confirmed: subscription-manager-rhsm-certificates which supersedes python-rhsm-certificates is missing the /etc/rhsm/ca/redhat-uep.pem file /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt provided by docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64 is also pointing to this missing file. ]$ rpm -qlv docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64|grep redhat drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/redhat.com lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/redhat.com/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/redhat.io lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/redhat.io/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem drwxr-xr-x 2 root root 0 May 1 16:56 /etc/docker/certs.d/registry.access.redhat.com lrwxrwxrwx 1 root root 27 May 1 16:56 /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem |
|
This is still present in CentOS 8 stream. I was unable to register a developer subscription for initialising a RHEL mock chroot. `subscription-manager register` always failed with "Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)". The only way I could work around it was to install a RHEL 8 system and copy the following files from it to the CentOS host: /etc/rhsm/ca/redhat-entitlement-authority.pem /etc/rhsm/ca/redhat-uep.pem |
|
I've reported this bug for the CentOS 8 project as well: https://bugs.centos.org/view.php?id=17907 | |
I have similar issues in our CI systems https://ci.centos.org/job/SCLo-container-container-common-scripts-test/235/console 13:32:29 make[1]: Leaving directory `/root/sources/tests/failures/check' 13:32:29 ./tests/squash/squash.sh 13:32:29 open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory 13:32:30 |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2018-05-14 02:21 | kameshsampath | New Issue | |
2018-12-14 05:14 | joseph.attard | Note Added: 0033334 | |
2019-01-03 08:47 | mhutter | Note Added: 0033500 | |
2019-01-03 15:04 | miabbott | Note Added: 0033505 | |
2019-05-10 21:12 | tru | Note Added: 0034443 | |
2020-04-15 11:12 | solemnwarning | Note Added: 0036694 | |
2020-12-04 00:23 | toracat | Relationship added | related to 0017907 |
2020-12-04 00:25 | toracat | Status | new => confirmed |
2021-01-26 18:29 | bocek.michal | Note Added: 0038198 | |
2021-06-10 11:48 | phracek | Note Added: 0038493 |