Bug 1020687

Summary: ESX5.5: Migration guest to another host result in "Error loading certificate" in the guest
Product: Red Hat Enterprise Linux 6 Reporter: Liushihui <shihliu>
Component: subscription-managerAssignee: candlepin-bugs
Status: CLOSED NOTABUG QA Contact: John Sefler <jsefler>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.5CC: bkearney, dgoodwin, liliu, qianzhan, sgao, shihliu
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-22 11:49:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 862910    
Attachments:
Description Flags
rhsm.log none

Description Liushihui 2013-10-18 07:46:30 UTC 
Description of problem:
Subscribe a instance-base subscription in the guest, after migrate the guest from original host to destination host, it will result in "Error loading certificate"

Version-Release number of selected component (if applicable):
subscription-manager-1.9.9-1.el6.x86_64
python-rhsm-1.9.6-1.el6.x86_64
virt-who-0.8-9.el6.noarch
katello-headpin-1.4.3.20-1.el6sam_splice.noarch
candlepin-0.8.26-1.el6sam.noarch

How reproducible:
Always

Steps to Reproduce:
1. Prepare RHEL6.5 with latest subscription-manager and virt-who installed. 
Two ESX5.5 hosts have been added to vcenter5.5, And ESX host1 with three guests.ESX host2 without guest, Guest1 on ESX host1
Our test env as the following:
vCenter: 10.66.79.63
ESX host 1: 10.66.13.181
ESX host 2: 10.66.13.187

2. Configure virt-who in ESX mode as the following, Make sure virt-who run normally:
[root@hp-z220-03 ~]# cat /etc/sysconfig/virt-who 
    VIRTWHO_BACKGROUND=1
    # Enable debugging output.
    VIRTWHO_DEBUG=1
    VIRTWHO_INTERVAL=100
    # Register ESX machines using vCenter
    VIRTWHO_ESX=1
    # Option for ESX mode
    VIRTWHO_ESX_OWNER=ACME_Corporation
    VIRTWHO_ESX_ENV=Library
    VIRTWHO_ESX_SERVER=10.66.79.63
    VIRTWHO_ESX_USERNAME=Administrator
    VIRTWHO_ESX_PASSWORD=qwer1234P!
[root@hp-z220-03 ~]# service virt-who restart
virt-who (pid  15975) is running...
3. Register the RHEL6.5 to SAM server(Make sure two ESX hosts have been register to SAM server)
# Subscription-manager register --username=admin --password=admin
4. Register Guest1 to SAM server
# Subscription-manager register --username=admin --password=admin
5. In the guest : Subscribe the Instancebase subscription
# subscription-manager subscribe --pool=8ac28c3b41c468750141c46c20720286
6. In the ESX management tool(vClient5.5): Migrate guest from host1 to host2

7. After migrate successfully, do refresh subscription in the guest
# subscription-manager refresh
Error loading certificate

Actual results:
Guest still registered. But it will pop up "Error loading certificate" after do refresh, please see the rhsm log file in the attachement.

Expected results:
Migration hasn't effect on the subscription's status, it should refresh successfully.

Additional info:
Comment 1 Liushihui 2013-10-18 07:47:01 UTC 
Created attachment 813640 [details]
rhsm.log
Comment 5 John Sefler 2013-10-21 14:04:07 UTC 
rshm.log shows the following warning which could possible lead to the "Error loading certificate".
[WARNING]  @connection.py:464 - Clock skew detected, please check your system time
Comment 6 Bryan Kearney 2013-10-21 18:49:01 UTC 
also, is auto heal on? If not, I would suggest that you enable it. That will help the migration process.
Comment 7 Liushihui 2013-10-22 03:53:31 UTC 
Guest's system time: 
[root@dhcp12-223 ~]# date
Tue Oct 22 11:41:58 EDT 2013
SAM server's system time:
[root@samserv ~]# date
Mon Oct 21 23:23:21 EDT 2013
After update the Guest's system time to the SAM server's system, it hasn't this problem, by the way, auto heal is on.
Comment 8 Devan Goodwin 2013-10-22 11:49:13 UTC 
Based on comment #7, I am closing this as notabug. Clock needs to be in sync for SSL certs to work.