
If you’re standing up a private Automation Hub on Ansible Automation Platform 2.6, one of the first things you’ll want is to pull down Red Hat Certified and Validated collections from the hosted service on console.redhat.com. On paper it’s straightforward. In practice, there are a handful of gotchas that will hand you a cryptic “Failed” status with no obvious explanation. This post walks through the setup and, just as importantly, how to troubleshoot the errors you’ll almost certainly hit along the way. In this example I’m pulling some certified and validated content for configuration as code, so you’ll see references throughout.
Certified vs Verified vs Community
First, certified and verified are found via console.redhat.com only so you won’t see them on galaxy.
If you want to browse certified and verified you can find it at https://console.redhat.com/ansible/automation-hub.

– rh-certified pulls from the certified (published) content on console.redhat.com. This is where ansible.platform, ansible.controller, ansible.eda, and ansible.hub live.
– validated pulls from the validated content on console.redhat.com. This is where the redhat-cop collections like infra.aap_configuration live.
– community pulls from public Ansible Galaxy.
These do not cross-resolve. A collection whose dependencies live in a different repository will fail to sync unless you tell it not to chase those dependencies. I ran into this issue with infra as it is only in validated, so I turned off dependency syncing for validated.
Where to Configure Remotes and Repositories
In AAP 2.6 the navigation changed from older versions. You’ll find everything under Automation Content, not the old “Repo Management” label.
– Remotes (where you set URLs, tokens, and requirements): Automation Content then Remotes

– Repositories (where you kick off syncs): Automation Content then Repositories

– Sync task logs and errors: Automation Content then Task Management

Step 1: Get Your Sync URL and Offline Token
Certified and validated content both require authentication against console.redhat.com. You’ll need an offline token. RH documentation here.
1. Log into console.redhat.com as an Org Admin.
2. Navigate to the Automation Hub connect/token page.
3. Under Offline token, click Load token, then copy it.
4. Store it somewhere secure. The offline token expires after 30 days of inactivity, so if a sync that used to work suddenly starts throwing 401s, a lapsed token is the first thing to check.

Step 2: Configure the rh-certified Remote
1. Go to Automation Content then Remotes.
2. Edit the rh-certified remote.
3. Confirm the Server URL points at the certified/published content endpoint:
1 | https://console.redhat.com/api/automation-hub/content/published/ |
4. Paste your offline token into the Token field.
5. Confirm the SSO URL is populated (on the pre-seeded rh-certified remote it usually is(validated had this blank for me)):
1 | https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token |
6. Add a curated requirements file so you don’t sync the entire certified catalog. Syncing everything takes 30+ minutes and, worse, if any single collection in the catalog returns a bad response, the whole task fails. Scope it to what you actually need:
1 2 3 4 5 6 7 8 | --- collections: - name: ansible.controller - name: ansible.platform - name: ansible.eda - name: ansible.hub - name: ansible.utils - name: ansible.posix |
7. Click Save remote.
Step 3: Sync the rh-certified Repository
1. Go to Automation Content then Repositories.
2. Find rh-certified, open the actions menu, and select Sync.
3. Watch progress under Automation Content then Task Management.
Step 4: Configure the Validated Remote
Validated content lives at a different endpoint but uses the same authentication. This is where a lot of people trip up, because if you build this remote by hand or clone settings from the community remote, critical auth fields end up blank.
1. Go to Automation Content then Remotes.
2. Edit (or create) the rh-validated remote.
3. Set the Server URL to the validated content endpoint (note validated, not published):
1 | https://console.redhat.com/api/automation-hub/content/validated/ |
4. Paste your offline token into the Token field. The validated repo requires the same token as rh-certified. The community remote does not need a token, so if you copied settings from community this field will be empty.
5. Populate the SSO URL. This is the single most common cause of a 401 on a hand-built validated remote. Without it, the hub has no endpoint to exchange your offline token for a bearer token, so it sends the request unauthenticated and gets rejected:
1 | https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token |
6. Leave Sync all dependencies unchecked. The dependencies of infra.aap_configuration (like ansible.platform and ansible.controller) live in the certified repo, not validated. If you leave this on, the validated sync will go hunting for them in the wrong place and fail. The UI even warns you about this inline.
7. Add a requirements file scoped to the validated content you want:
1 2 3 | --- collections: - name: infra.aap_configuration |
8. Click Save remote, then sync the rh-validated repository the same way you synced rh-certified.
Troubleshooting: Finding the Logs
When a repo shows Failed, the repository view only shows you the status flag, not the error. The actual error lives in the task record.
Go to Automation Content then Task Management, find the most recent failed sync task, and click into it. The detail view shows the error description and full traceback. You can take this message and paste it into your AI of choice and ask it “My aap2.6 private automation hub repository sync is failing with this message:”.
If the UI detail isn’t enough, pull the Pulp worker logs directly from the hub node. On a containerized AAP 2.6 install:
1 2 3 | sudo -i podman ps --format '{{.Names}}' | grep -i worker podman logs automation-hub-worker-1 2>&1 | tail -n 200 |
Or via journald:
1 | journalctl -u 'automation-hub-*' --since "30 min ago" --no-pager |
Troubleshooting
The following are all errors I got during my setup.
404 on a Certified Endpoint for a Validated Collection
1 2 | 404, message='Not Found', url='https://console.redhat.com/api/automation-hub/content/published/.../infra/aap_configuration/' |
This is a wrong-repo error. You asked the rh-certified (published) remote to sync infra.aap_configuration, but that collection is validated content, not certified. The certified endpoint has no such collection, so it legitimately 404s. Fix: move infra.aap_configuration out of the rh-certified requirements file and into the validated remote.
404 on Galaxy for a Certified Dependency
1 2 | 404, message='Not Found', url='https://galaxy.ansible.com/api/v3/.../ansible/platform/' |
This is a dependency-resolution error. Your requirements file only listed infra.aap_configuration, but with dependency syncing enabled, Pulp tried to also pull its dependency ansible.platform from Galaxy. That collection is certified content and does not exist on public Galaxy, hence the 404. Fix: uncheck Sync all dependencies on the remote, and make sure ansible.platform comes in through your rh-certified sync instead.
401 Unauthorized on the Validated Endpoint
1 2 | 401, message='Unauthorized', url='https://console.redhat.com/api/automation-hub/content/validated/api/' |
This is an auth error, and it fails at the very first step before any collection is even touched. The URL is correct (validated), so the problem is purely credentials. In practice this almost always means the SSO URL field is empty on the remote. Without it, the hub can’t exchange your offline token for a bearer token, so the request goes out unauthenticated and gets a 401. Fix: populate the SSO URL field (see Step 4). Also confirm the Token field is actually populated and the offline token hasn’t expired.
503 Service Unavailable on the Gateway service-index
1 2 | 503 Server Error: Service Unavailable for url: https://YOUR-HUB/api/gateway/v1/service-index/metadata/ |
This one is a red herring if you’re focused on content sync. Note the URL points at your own hub’s gateway, not console.redhat.com. This is the internal Resource Registry sync (which replicates users, teams, and orgs across AAP services), not a collection sync. A 503 here means the gateway’s service-index endpoint was unavailable when the task ran, usually because the gateway service was down, restarting, or coming back up in the wrong order after a platform restart. Check the gateway service health:
1 2 3 4 | podman ps --format '{{.Names}} {{.Status}}' | grep -i gateway # or, on RPM installs: systemctl status automation-gateway journalctl -u automation-gateway --since "30 min ago" --no-pager |
Confirm the endpoint responds:
1 | curl -sSk https://YOUR-HUB/api/gateway/v1/service-index/metadata/ -w '\n%{http_code}\n' |
Once the gateway is healthy again, the resource-sync task clears on its next scheduled run.
Conclusion
It can be just a little fiddley at first, but it’s honestly pretty straight forward once you step through it once. Keep in mind you will have to regularly update your requirements files, though you can create multiple remotes and repos all pointing to the same place, but with different requirements.
Good luck and happy automating!
How does a daydreaming theater kid from Boca Raton, Florida end up making her mark on Broadway? In this episode, Greg sits down with Jennifer Ashley Tepper, a self-proclaimed theater nerd and accomplished historian, who has turned her childhood obsession into a Broadway career. Join us as we navigate through Jennifer’s journey, from theater camp memories to her work at 54 Below, and explore the passion that drives her to uncover and celebrate the untold stories of theater’s past.
Don’t forget to like, comment, and subscribe for more conversations that chase the story behind the person.
If you want to support the podcast you can do so via https://www.patreon.com/whyamipod (this gives you access to bonus content including their Fantasy Restaurant!)
Ever imagined a meal where Wheaties meet leftover cake and a filet mignon finds its place on the same table as a 16-scoop ice cream split? Welcome to the Fantasy Restaurant with Sean Petrie (@typewriterrodeo) in the Fantasy Restaurant. Listen in as Sean’s creative choices and childhood flavors take us on a journey through taste and memory. This episode is a reminder of how our unique bites tell chapters of our life’s story. Get ready to savor this feast of nostalgia and whimsy.
Don’t forget to like, comment, and subscribe for more conversations that chase the story behind the person.
Please show them some love on their socials here: https://www.typewriterrodeo.com/ https://burlwoodbooks.com/universe/ https://www.instagram.com/typewriterrodeo/
If you want to support the podcast you can do so via https://www.patreon.com/whyamipod (this gives you access to bonus content including their Fantasy Restaurant!)
Ever wonder what it feels like to be a radio pirate in Memphis? Sasha Zaitsev shares his unique journey as the mastermind behind Radio Free Memphis, a pirate radio station disrupting the airwaves. Dive into his world of experimental music, designed to challenge and provoke, and uncover what it truly means to march to the beat of your own drum, or in Sasha’s case, a noise of his own making.
Don’t forget to like, comment, and subscribe for more conversations that chase the story behind the person.
Please show them some love on their socials here: https://radiofreememphis.bandcamp.com/
If you want to support the podcast you can do so via https://www.patreon.com/whyamipod (this gives you access to bonus content including their Fantasy Restaurant!)
Ever wondered what your ultimate comfort meal would look like if you had no limits? Join me in Dee Parson’s fantasy restaurant, where nostalgia and rebellion serve up a side of spicy popcorn chicken. From childhood influences like Grandma’s canned Pepsi to the ultimate birthday cake handcrafted by a best friend’s mother, Dee’s choice of dishes reveals a lifelong journey of taste and sentiment.
Don’t forget to like, comment, and subscribe for more conversations that chase the story behind the person.
Please show them some love on their socials here:
www.twitter.com/suprdee2 www.instagram.com/suprdee2
https://suprdee2.com/ www.comicskingdom.com/rosebuds https://www.facebook.com/Suprdee2
If you want to support the podcast you can do so via https://www.patreon.com/whyamipod (this gives you access to bonus content including their Fantasy Restaurant!)
What’s life really like when your workplace is a submarine, your family is 120 sailors, and your phone calls home are measured in words instead of minutes? Navy veteran Brady Drennan shares stories from 38 years of service, from fast attack submarines to aircraft carriers, nuclear power, deployment life, leadership, family, and the little pieces of home that keep people going.
Don’t forget to like, comment, and subscribe for more conversations that chase the story behind the person.
Please show them some love on their socials here: https://texvet.org/resources/united-states-submarine-veterans-inc
https://alegion159.org/index.html
If you want to support the podcast you can do so via https://www.patreon.com/whyamipod (this gives you access to bonus content including their Fantasy Restaurant!)
On this episode of Why Am I, Greg talks with scientist and podcaster Jeff Zurek about volcanoes, curiosity, public speaking, “type two fun,” and the strange paths that lead us into the work that lights us up. Jeff has a gift for making science feel less like homework and more like an adventure, especially when he gets into crystals in New Mexico that might help solve a 5,000-year-old volcanic mystery.
Don’t forget to like, comment, and subscribe for more conversations that chase the story behind the person.
Please show them some love on their socials here: https://bsky.app/profile/whimsicallambda.bsky.social
https://www.facebook.com/WhimsicalWavelengths
https://www.instagram.com/whimsical.wavelengths/
https://www.linkedin.com/company/whimsical-wavelengths/
If you want to support the podcast you can do so via https://www.patreon.com/whyamipod (this gives you access to bonus content including their Fantasy Restaurant!)

