Bug 1267034

Summary: if system is registered with a consumer cert for different serverurl, select_sla screen shows error and fails
Product: Red Hat Enterprise Linux 7 Reporter: Adrian Likins <alikins>
Component: subscription-managerAssignee: candlepin-bugs
Status: CLOSED ERRATA QA Contact: Sean Toner <stoner>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: bkearney, crog, csnyder
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 11:51:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
contains 2 pngs, one of error before fix, one of error after fix none

Description Adrian Likins 2015-09-28 21:21:03 UTC 
Description of problem:
If a system is registered to server url A, but initial-setup starts with rhsm configured to use server url B, (where current consumer does not work and causes invalid credentials), the screen will move to the select_sla's pre() function
(ie, talking to the server and trying to figure entitlements are needed), we
show a error message but stay on the select_sla's pre progress screen.

Since without supporting un-register or re-register, there is no way to fix this, so instead we should show the error and go to the end screen.
Comment 2 Chris Snyder 2015-09-30 15:18:59 UTC 
In master as of commit: f508338da8107d339b0bdb854c42bffd696c9465
Comment 3 Chris "Ceiu" Rog 2015-09-30 18:06:49 UTC 
commit f508338da8107d339b0bdb854c42bffd696c9465
Author: Adrian Likins <alikins>
Date:   Mon Sep 28 18:03:25 2015 -0400

    1267034: Handle 401 with cert based auth
    
    If we got here with an unexcepted RestlibException,
    nothing would signal that the attach was finished
    (in the sense that there is nothing else it can do).
    
    In particular, 401's that have a valid candlepin
    error response. Which could happen if you have the
    CA certs for current serverurl, but have a valid consumer
    cert from a different server, and you fail the consumer
    cert auth check.
Comment 5 Sean Toner 2015-10-06 17:30:12 UTC 
I installed the following:

[root@rh72-stoner-snap4 consumer]# rpm -qa | grep subscription
subscription-manager-initial-setup-addon-1.15.9-12.el7.x86_64
subscription-manager-1.15.9-12.el7.x86_64
subscription-manager-migration-1.15.9-12.el7.x86_64
subscription-manager-gui-1.15.9-12.el7.x86_64
subscription-manager-plugin-ostree-1.15.9-12.el7.x86_64
subscription-manager-plugin-container-1.15.9-12.el7.x86_64
subscription-manager-migration-data-2.0.24-1.el7.noarch


I registered a system on a private candlepin instance.  I then went into rhsm.conf, and changed the server hostname to point to the regular production subscription.rhn.redhat.com

I then launched initial-setup, and it hung during attaching trying to find suitable service levels (see bz1267034.png).  So I believe I was able to reproduce the same issue.

I then changed rhsm.conf to allow me to unregister, and updated the rpms to 1.15.9-13.  I followed the same steps as above, but instead of hanging at the auto attach while trying to find suitable service levels, I was presented with an error during registration (see bz126704-withfix.png).
Comment 6 Sean Toner 2015-10-06 17:31:29 UTC 
Created attachment 1080322 [details]
contains 2 pngs, one of error before fix, one of error after fix
Comment 7 errata-xmlrpc 2015-11-19 11:51:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2122.html