Bug 1414529

Summary: Unhelpful error message if a product certificate is corrupted.
Product: Red Hat Enterprise Linux 7 Reporter: Barnaby Court <bcourt>
Component: subscription-managerAssignee: Jiri Hnidek <jhnidek>
Status: CLOSED ERRATA QA Contact: John Sefler <jsefler>
Severity: low Docs Contact:
Priority: medium    
Version: 7.3CC: jhnidek, khowell, redakkan, skallesh
Target Milestone: rcKeywords: EasyFix, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: subscription-manager-1.20.2-1 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 09:47:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Barnaby Court 2017-01-18 18:34:25 UTC
Description of problem:
If a product certificate is corrupted the error message is not very helpful. For example:
2017-01-18 18:00:41,683 [INFO] subscription-manager:31445:MainThread @managercli.py:384 - Client Versions: {'python-rhsm': '1.17.9-1.el7', 'subscription-manager': '1.17.15-\
1.el7.centos'}
2017-01-18 18:00:41,683 [INFO] subscription-manager:31445:MainThread @connection.py:830 - Connection built: host=https://devel.example.com port=443 handler=/rhsm auth=ident\
ity_cert ca_dir=/etc/rhsm/ca/ verify=True
2017-01-18 18:00:41,684 [INFO] subscription-manager:31445:MainThread @connection.py:830 - Connection built: host=https://devel.example.com port=443 handler=/rhsm auth=none
2017-01-18 18:00:41,684 [INFO] subscription-manager:31445:MainThread @managercli.py:384 - Client Versions: {'python-rhsm': '1.17.9-1.el7', 'subscription-manager': '1.17.15-\
1.el7.centos'}
2017-01-18 18:00:41,684 [INFO] subscription-manager:31445:MainThread @managercli.py:359 - Consumer Identity name=None uuid=None
2017-01-18 18:00:41,685 [ERROR] subscription-manager:31445:MainThread @managercli.py:174 - exception caught in subscription-manager
2017-01-18 18:00:41,685 [ERROR] subscription-manager:31445:MainThread @managercli.py:175 - Error loading certificate
Traceback (most recent call last):
  File "/sbin/subscription-manager", line 81, in <module>
    sys.exit(abs(main() or 0))
 File "/sbin/subscription-manager", line 72, in main
    return managercli.ManagerCLI().main()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 2744, in main
    return CLI.main(self)
  File "/usr/lib/python2.7/site-packages/subscription_manager/cli.py", line 160, in main
    return cmd.main()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 526, in main
    return_code = self._do_command()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1070, in _do_command
    self.installed_mgr = inj.require(inj.INSTALLED_PRODUCTS_MANAGER)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 103, in require
    return FEATURES.require(feature, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 77, in require
    self.providers[feature] = provider()
  File "/usr/lib/python2.7/site-packages/subscription_manager/cache.py", line 433, in __init__
    self._setup_installed()
  File "/usr/lib/python2.7/site-packages/subscription_manager/cache.py", line 488, in _setup_installed
    for prod_cert in self.product_dir.list():
  File "/usr/lib/python2.7/site-packages/subscription_manager/certdirectory.py", line 228, in list
    installed_prod_list = self.installed_prod_dir.list()
  File "/usr/lib/python2.7/site-packages/subscription_manager/certdirectory.py", line 121, in list
    listing.append(create_from_file(path))
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate.py", line 59, in create_from_file
    return _CertFactory().create_from_file(path)
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 70, in create_from_file
    return self._read_x509(_certificate.load(path), path, pem)
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 82, in _read_x509
    raise CertificateException("Error loading certificate")
CertificateException: Error loading certificate

This was originally found in python-rhsm-1.17.9-1.el7.x86_64

It would be much more helpful if the python-rhsm error included which certificate it could not load.

Comment 3 Rehana 2017-10-26 12:25:39 UTC
Reproducing the failure on python-rhsm-1.17.9-1.el7.x86_64 ( on rhel73 manchine) 

subscription management server: 2.0.41-1
subscription management rules: 5.26
subscription-manager: 1.17.15-1.el7
python-rhsm: 1.17.9-1.el7

Steps
=====
1) have one or more product id files 
[root@kvm-02-guest07 ~]# ls /etc/pki/product
100000000000000.pem   100000000000002.pem  100000000000006.pem  100000000000060.pem  213412341234.pem  213412341237.pem  37060.pem  37067.pem  37070.pem  37091.pem  6050.pem  806.pem    908.pem
100000000000001.pem   100000000000003.pem  100000000000011.pem  100000000000069.pem  213412341235.pem  27060.pem         37062.pem  37068.pem  37080.pem  5050.pem   6051.pem  88888.pem  917571.pem
1000000000000023.pem  100000000000005.pem  100000000000020.pem  1.pem                213412341236.pem  32060.pem         37065.pem  37069.pem  37090.pem  5051.pem   801.pem   900.pem    98121.pem
[root@kvm-02-guest07 ~]# ls /etc/pki/product-default/
69.pem


2) modify the product cert file with junk values 
vi /etc/pki/product-default/69.pem

3)Execute subscription-manager list --installed 
[root@kvm-02-guest07 ~]# subscription-manager  list --installed
Error loading certificate

rhsm.log 
===========

2017-10-26 08:21:17,674 [INFO] subscription-manager:28056:MainThread @managercli.py:384 - Client Versions: {'python-rhsm': '1.17.9-1.el7', 'subscription-manager': '1.17.15-1.el7'}
2017-10-26 08:21:17,675 [INFO] subscription-manager:28056:MainThread @connection.py:830 - Connection built: host=subscription.rhsm.redhat.com port=443 handler=/subscription auth=identity_cert ca_dir=/etc/rhsm/ca/ verify=False
2017-10-26 08:21:17,675 [INFO] subscription-manager:28056:MainThread @connection.py:830 - Connection built: host=subscription.rhsm.redhat.com port=443 handler=/subscription auth=none
2017-10-26 08:21:17,699 [ERROR] subscription-manager:28056:MainThread @managercli.py:174 - exception caught in subscription-manager
Error loading certificate
2017-10-26 08:21:17,700 [ERROR] subscription-manager:28056:MainThread @managercli.py:175 - Error loading certificate
Traceback (most recent call last):
  File "/usr/sbin/subscription-manager", line 81, in <module>
    sys.exit(abs(main() or 0))
  File "/usr/sbin/subscription-manager", line 72, in main
    return managercli.ManagerCLI().main()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 2744, in main
    return CLI.main(self)
  File "/usr/lib/python2.7/site-packages/subscription_manager/cli.py", line 160, in main
    return cmd.main()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 526, in main
    return_code = self._do_command()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 2294, in _do_command
    iproducts = get_installed_product_status(self.product_dir, self.entitlement_dir, self.cp, self.options.filter_string)
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 238, in get_installed_product_status
    sorter = inj.require(inj.CERT_SORTER)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 103, in require
    return FEATURES.require(feature, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 77, in require
    self.providers[feature] = provider()
  File "/usr/lib/python2.7/site-packages/subscription_manager/cert_sorter.py", line 322, in __init__
    self.installed_mgr = inj.require(inj.INSTALLED_PRODUCTS_MANAGER)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 103, in require
    return FEATURES.require(feature, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 77, in require
    self.providers[feature] = provider()
  File "/usr/lib/python2.7/site-packages/subscription_manager/cache.py", line 433, in __init__
    self._setup_installed()
  File "/usr/lib/python2.7/site-packages/subscription_manager/cache.py", line 488, in _setup_installed
    for prod_cert in self.product_dir.list():
  File "/usr/lib/python2.7/site-packages/subscription_manager/certdirectory.py", line 229, in list
    default_prod_list = self.default_prod_dir.list()
  File "/usr/lib/python2.7/site-packages/subscription_manager/certdirectory.py", line 121, in list
    listing.append(create_from_file(path))
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate.py", line 59, in create_from_file
    return _CertFactory().create_from_file(path)
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 70, in create_from_file
    return self._read_x509(_certificate.load(path), path, pem)
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 82, in _read_x509
    raise CertificateException("Error loading certificate")
CertificateException: Error loading certificate

Comment 4 Shwetha Kallesh 2017-11-10 09:15:32 UTC
Marking this bug as verified and for multiple corrupt cert issue the following bug has been logged:

https://bugzilla.redhat.com/show_bug.cgi?id=1506958

[root@dhcp35-121 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 2.2.0-1
subscription management rules: 5.26
subscription-manager: 1.20.5-1.el7


[root@dhcp35-121 ~]# ls /etc/pki/product/
100000000000000.pem   100000000000003.pem  100000000000020.pem  213412341234.pem  27060.pem  37065.pem  37070.pem  5050.pem  801.pem    908.pem
100000000000001.pem   100000000000005.pem  100000000000060.pem  213412341235.pem  

modified the product cert file with junk values 
vi /etc/pki/product-default/69.pem

[root@dhcp35-121 ~]# ls /etc/pki/product-default/
 69.pem 

[root@dhcp35-121 ~]# subscription-manager list --installed
System certificates corrupted. Please reregister.

[root@dhcp35-121 ~]# tail -f /var/log/rhsm/rhsm.log 
    self._tunnel()
  File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel
    message.strip()))
error: Tunnel connection failed: 407 Proxy Authentication Required
2017-11-10 14:29:06,136 [ERROR] subscription-manager:4442:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2017-11-10 14:29:06,143 [INFO] subscription-manager:4442:MainThread @managercli.py:453 - X-Correlation-ID: bb4351be7527421d8edc3a69bb52f360
2017-11-10 14:29:06,144 [INFO] subscription-manager:4442:MainThread @managercli.py:342 - Client Versions: {'python-rhsm': '0.0.0-1', 'subscription-manager': '1.20.5-1.el7'}
2017-11-10 14:29:06,144 [INFO] subscription-manager:4442:MainThread @connection.py:836 - Connection built: host=F21-candlepin.usersys.redhat.com port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2017-11-10 14:29:06,145 [INFO] subscription-manager:4442:MainThread @connection.py:836 - Connection built: host=F21-candlepin.usersys.redhat.com port=8443 handler=/candlepin auth=none
2017-11-10 14:29:06,175 [ERROR] subscription-manager:4442:MainThread @managercli.py:506 - Error loading certificate: /etc/pki/product-default/69.pem

Comment 7 errata-xmlrpc 2018-04-10 09:47:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0681