-
Bug
-
Resolution: Unresolved
-
Critical
-
6.16.0, 6.17.0
-
3
-
False
-
Artemis Sprint 162
-
sat-artemis
-
None
-
None
-
None
-
To Do
Description of problem:
When using ISS (Network Sync) to sync content from a disconnected Satellite to a connected Satellite, the sync will fail if either:
- The CA has changed on the connected Satellite
- The certs have changed on the connected Satellite
The issue was first discovered upon doing a leapp upgrade from RHEL8 to RHEL9 for Satellite 6.16 on the connected Satellite. The certificates change from SHA1 to SHA256. The default update-crypto-policies profile does not allow using SHA1 certs. This causes issues when the disconnected Satellite is trying to access content from the connected Satellite, using the SHA1 certs. The workaround was to lower the update-crypto-policies to legacy which allows the syncs to continue. The error seen when the profile is default shows bad certificate:
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2354)
However, when testing this out, if the CA changes on the connected Satellite, the disconnected Satellite will no longer be able to sync content. Even when updating the Content Credentials to use the new CA, the syncs will still fail with:
[Errno 1] [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:2651)
Refreshing the manifest does not fix the error, and the new CA is still not used for the sync.
If we manually update the katello_cdn_configurations table to use the new CA, the syncs will still fail, giving a misleading 404 error:
404, message='Not Found', url=URL('https://sat-connected.example.com/pulp/content/Borg/Library/content/dist/layered/rhel8/x86_64/sat-capsule/6.14/os')
However, when testing from the disconnected Satellite server with a curl, we see it is actually a 403 error (note the cert, key, and ca were all taken from the debug logs during a failed sync attempt):
[root@sat-disconnected ~]# curl --cert cert2.pem --key key.pem --cacert cert.pem https://sat-connected.example.com/pulp/content/Borg/Library/content/dist/layered/rhel8/x86_64/sat-capsule/6.14/os/repodata/repomd.xml
403: Requested path is not a subpath of a path in the client certificate.
And the http logs from the connected satellite shows 403 then a 404:
192.168.0.223 - - [29/Jan/2026:11:12:53 -0500] "GET /pulp/content/Borg/Library/content/dist/layered/rhel8/x86_64/sat-capsule/6.14/os/repodata/repomd.xml HTTP/1.1" 403 73 "-" "pulpcore/3.22.22 (cpython 3.9.20-final0, Linux x86_64) (aiohttp 3.9.2)" 192.168.0.223 - - [29/Jan/2026:11:12:53 -0500] "GET /pulp/content/Borg/Library/content/dist/layered/rhel8/x86_64/sat-capsule/6.14/os HTTP/1.1" 404 14 "-" "pulpcore/3.22.2 2 (cpython 3.9.20-final0, Linux x86_64) (aiohttp 3.9.2)"
How reproducible:
always
Is this issue a regression from an earlier version:
don't think this is a regression, but did not confrim
Steps to Reproduce:
1. Configure ISS between 2 Satellites
2. Enable and sync a repository on the connected Satellite, and then do the same on the disconnected (confirm this works)
3. Update the CA on the connected Satellite, and update the Content Credentials on the disconnected Satellite to use the new CA
Actual behavior:
[Describe the issue in detail, including what is happening and where]
The disconnected Satellite is no longer able to sync, and will get SSL: TLSV1_ALERT_UNKNOWN_CA tlsv1 alert unknown ca errors
Expected behavior:
[Describe what should be happening instead]
There should be a way to force a disconnected Satellite to regenerate the CA and Certs in order to sync content from the connected Satellite server
Business Impact / Additional info:
big impact if the CA changes, no longer able to sync content to a disconnected Satellite via ISS (Network Sync)
