CAHC missing CA cert for Red Hat

[miabbott]

The sanity tests on CAHC have been failing for an embarrassing amount of time, but I just did some digging after @jlebon asked about it.

The root cause looks like a missing CA cert for Red Hat things. This was observed when doing a docker pull from the registry:

    # docker pull registry.access.redhat.com/rhel7/openscap
    Using default tag: latest
    Trying to pull repository registry.access.redhat.com/rhel7/openscap ...
    open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory 

The redhat-ca.crt file is usually a symlink to /etc/rhsm/ca/redhat-uep.pem. On the CAHC stream, this was provided by python-rhsm-certificates, but recent composes have caused this package to drop out of the compose. (FWIW, on RHELAH the cert is provided by subscription-manager-rhsm-certificates, but this package is basically empty in CentOS land)

The first compose where it appears this package was removed was on April 26, commit 4d12023435213f8c639337679d3f093f0188cfe8eaf77f4d5963ba5e35aea7e7

[jlebon]

Hmm, so something dropped it as a dep? I suppose we could manually add it back in the manifest, though it'd be nice to track down what dropped the dep and why.

[miabbott]

I mean, this is a testing stream...i'm not opposed to the hammer approach.

[cgwalters]

Without actually investigating my offhand guess is that something in CentOS chagned to explicitly neuter that package in 7.5.

[miabbott]

This is still an issue in the latest CAHC builds...

I tried to dig through the dependencies and what not:

# docker run -it --rm registry.centos.org/centos repoquery --whatprovides /etc/rhsm/ca/redhat-uep.pem
python-rhsm-certificates-0:1.19.10-1.el7_4.x86_64
# docker run -it --rm registry.centos.org/centos repoquery --whatrequires python-rhsm-certificates                                                                                     
python-rhsm-0:1.19.10-1.el7_4.x86_64
# docker run -it --rm registry.centos.org/centos repoquery --whatprovides python-rhsm
subscription-manager-rhsm-0:1.20.11-1.el7.centos.x86_64
python-rhsm-0:1.19.10-1.el7_4.x86_64
# rpm -qa | grep rhsm
subscription-manager-rhsm-certificates-1.20.11-1.el7.centos.x86_64
subscription-manager-rhsm-1.20.11-1.el7.centos.x86_64

The spec file for subscription-manager seems to indicate that the redhat-uep.pem cert should be installed by subscription-manager-rhsm-certificates:

https://src.fedoraproject.org/cgit/rpms/subscription-manager.git/tree/subscription-manager.spec?id=5484dbb5a4b319d70a4cc0d440c941f0463fd53a#n556

So....kind of back to where we started. ¯_(ツ)_/¯

Seems to support what @cgwalters said about the certs getting neutered. Not sure where to look for evidence of that.

[miabbott]

This appears to affect all of CentOS

https://lists.centos.org/pipermail/centos-devel/2018-June/016749.html