BSA: RHEL 7 Patch Catalog update job is failing "URL returned error: 403 Forbidden"

Version 6
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    BladeLogic Server Automation Suite


    BladeLogic Patch Management


    RHEL 7 patch catalog update in BSA version 8.6 onwards


    A BMC BladeLogic Server Automation (BSA) RHEL7 Patch catalog update job is failing and the following error is seen in the Job Run logs :
    Validation Error :- BLPAT1211 - Unable to find sqlite db required by yum.
    Possible remediation steps :- Please check the yum_metadata_generator.log file generated in repo directory
    The yum_metadata_generator.log which is created on the repository server under the “Repository Location” specified in the Patch Catalog Update job has something like the following :

    Started executing yum metadata generator script Thu May 19 16:03:20 IST 2016 : cache dir path is /data/BMC_Test/cachedir Config time: 0.037 Yum Version: 3.2.29 [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403 Forbidden" Trying other mirror. [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403 Forbidden" Trying other mirror. repo id            repo name                                              status rhel-7-server-rpms Red Hat Enterprise Linux Server (v. 7 for 64-bit x86_6 0 repolist: 0 Thu May 19 16:03:59 IST 2016 : No Repo DB Found, Command Exit Code - 0




    The certificates downloaded as a part of pre-requisite for RHEL7 Patch Catalog Creation have been revoked by Red Hat.


    Redhat occasionally revokes certificates to ensure its accuracy.
    Please see below link.

    “A subscription entitlement certificate can be revoked any time by Red Hat to ensure its accuracy. Constantly Red Hat is updating the SKUs descriptions, accounts modifications, subscriptions renewals/models, etc. Since this certificate is used to grant access to the products on CDN, to guarantee that this certificate reflects the current changes/updates, it will automatically be marked as dirty, which in other words means that the certificate needs to be regenerated and re-downloaded on the client. Note that Red Hat can mark this certificate as dirty any time, even when no changes are made on your account.”
    The only option in this case is to regenerate and download the certificates and re-run a catalog update job.

    The procedure to download the certificates is in the product documentation.  Alternatively, the subscription-manager client will automatically update the revoked certs periodically. 

    After obtaining the new certificates the Patch Global Configuration must be updated to reflect the location of the new certificate files.  Instead of doing this manually, the update could be done with a NSH Script Job.  An example of such a script is located here:



    Article Number:


    Article Type:

    Solutions to a Product Problem

      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles