Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Critical: Satellite 6.16.0 release), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:8906

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "SAT-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues@redhat.com. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Verified.

Tested on Satellite stream Snap 52
python3.11-pulp-certguard-1.7.1-2.el8pc.noarch

Steps followed:
1. Subscribe a host to RH subscription content
2. Find a reason for the rhsm content guard to reject the client certificate or misconfigure it(`curl -vv -k -X PATCH --data-urlencode 'ca_certificate@fake.crt' --cert /etc/pki/katello/certs/pulp-client.crt --key /etc/pki/katello/private/pulp-client.key "https://localhost/pulp/api/v3/contentguards/certguard/rhsm/<UUID>/"`)
3. On the host run `yum update` and observe that repodata.xml returns 403
4. Observe foreman-tail

Observation:
The log messages describing the failure reason are logged with higher level with WARNING

All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Provided the steps as part of the original comment.

From discussion w/ Matthias:

certguard raises PermissionError, which is a base python error-class. These error-messages appear to not show up in logging. Investigation needed on whether PermissionError is "special" in some way when it comes to being logged by the content-app.

NOTE: we really should not be overloadiung python's file-level PermissionError this way, and instead should have our own cecrtguard-perm-error. May want its own RFE.

See https://github.com/pulp/pulpcore/blob/master/pulpcore/content/handler.py#L296-L303 for where we might want to increase log-level.

I suspect this is a combination of https://github.com/pulp/pulp-certguard/blob/master/pulp_certguard/app/models.py#L42 and https://github.com/pulp/pulp-certguard/blob/master/pulp_certguard/app/models.py#L167-L169.

In the first, we only log "this doesn't even look like a cert" at debug-level.

In the second, we lose information on the specific error encountered and log "something went wrong".

Hi Matthias,

Can we provide a set of reproducer steps for QE to verify once a fix is available? Thanks!