From 884acf23c2909fdb9d97690c9e3bbd689125eb99 Mon Sep 17 00:00:00 2001
From: David Galloway <dgallowa@redhat.com>
Date: Thu, 14 Jul 2022 14:53:06 -0400
Subject: [PATCH] common: Remove, clean up, and reinstall Satellite CA cert

This reverts commit ed59d0bb3f6470ecf62fc6af19663d0f674dd84e.

This was originally added because if one upgrades the Satellite server, the katello-ca-consumer-latest RPM actually gets an incremented version number and conflicts with an already installed katello-ca RPM.  `rpm --reinstall` was not sufficient to "upgrade" the package.

We won't ever be upgrading the Satellite server again and the proper way to "reinstall" the Satellite's CA Cert is to remove it, subscription-manager clean, then reinstall as per https://access.redhat.com/solutions/3336921.

Signed-off-by: David Galloway <dgallowa@redhat.com>
---
 roles/common/tasks/rhel-entitlements.yml | 25 +++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/roles/common/tasks/rhel-entitlements.yml b/roles/common/tasks/rhel-entitlements.yml
index 1989a48..eeda667 100644
--- a/roles/common/tasks/rhel-entitlements.yml
+++ b/roles/common/tasks/rhel-entitlements.yml
@@ -18,16 +18,27 @@
   set_fact:
     have_entitlements: "{{ subscription_manager_org != '' and subscription_manager_activationkey != ''}}"
 
-- name: Download CA Cert from Satellite Server
-  get_url:
-    url: "{{ satellite_cert_rpm }}"
-    dest: /tmp/katello-ca-consumer-latest.noarch.rpm
+- name: Find existing CA Cert RPMs
+  command: rpm -qa katello-ca-consumer*
+  register: existing_satellite_cert
+  when: use_satellite == true
+
+- name: Uninstall previous CA Certs from Satellite Servers
+  command: rpm -e "{{ existing_satellite_cert.stdout }}"
+  when:
+    - use_satellite == true
+    - existing_satellite_cert.stdout|length>0
+
+- name: Subscription-manager clean
+  command: subscription-manager clean
   when: use_satellite == true
 
 - name: Install CA Cert from Satellite Server
-  command: rpm --reinstall -Uvh /tmp/katello-ca-consumer-latest.noarch.rpm
-  register: sat_rpm_install
-  failed_when: sat_rpm_install.rc != 0 and "is already installed" not in sat_rpm_install.stderr
+  yum:
+    name: "{{ satellite_cert_rpm }}"
+    state: present
+    validate_certs: no
+    disable_gpg_check: yes
   when: use_satellite == true
 
 # set the releasever cause without it rhel-7-server-rpms repo fails on rhel7.9 machines
-- 
2.39.5