Bug 1452075

Summary: register --force option when provided with --serverurl option throws [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)
Product: Red Hat Enterprise Linux 7 Reporter: Shwetha Kallesh <skallesh>
Component: subscription-managerAssignee: Jiri Hnidek <jhnidek>
Status: CLOSED ERRATA QA Contact: John Sefler <jsefler>
Severity: low Docs Contact:
Priority: low    
Version: 7.4CC: jhnidek, khowell, redakkan, skallesh
Target Milestone: rcKeywords: StringChange, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: subscription-manager-1.19.18-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 19:23:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Shwetha Kallesh 2017-05-18 09:54:32 UTC 
Description of problem:
register --force option when provided with --serverurl option throws [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)

Version-Release number of selected component (if applicable):
[root@dhcp71-112 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.51.23-1
subscription management rules: 5.15.1
subscription-manager: 1.19.14-1.el7
python-rhsm: 1.19.6-1.el7


How reproducible:


Steps to Reproduce:
[root@dhcp71-112 ~]# subscription-manager register --force --serverurl Shwetha-candlepin.usersys.redhat.com:8443/candlepin
Unregistering from: Shwetha-candlepin.usersys.redhat.com:8443/candlepin
Unregister failed: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)


Actual results:
Unregistering from: Shwetha-candlepin.usersys.redhat.com:8443/candlepin
Unregister failed: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)


Expected results:
Unregistering from:  Shwetha-candlepin.usersys.redhat.com:8443/candlepin
Invalid credentials.

Additional info:
Comment 2 Kevin Howell 2017-05-18 15:00:37 UTC 
Shwetha, what is the value of insecure (in section server) in rhsm.conf? This behavior is expected if:
1) The candlepin you are unregistering from uses an untrusted cert.
2) The value of insecure is 0.
Comment 3 Shwetha Kallesh 2017-05-19 06:56:01 UTC 
Kevin,


[root@dhcp71-112 ~]# cat /etc/rhsm/rhsm.conf| grep insecure
insecure = 0

       inscure value in rhsm.conf is 0 but I believe we can throw a better a message than "[SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)".
Comment 4 Kevin Howell 2017-05-22 14:12:25 UTC 
What we'll do is change the language to what we use in other places for SSL issues: _('Unable to verify server\'s identity: %s')
Comment 6 Shwetha Kallesh 2017-06-08 13:42:17 UTC 
[root@dhcp35-135 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.0.33-1
subscription management rules: 5.23
subscription-manager: 1.19.18-1.el7
python-rhsm: 1.19.9-1.el7


[root@dhcp35-135 ~]# cat /etc/rhsm/rhsm.conf| grep insecure
insecure = 0


[root@dhcp35-135 ~]# subscription-manager register --force --serverurl skallesh-candlepin.usersys.redhat.com:8443/candlepin
Unregistering from: skallesh-candlepin.usersys.redhat.com:8443/candlepin
Unable to verify server's identity: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)
Comment 7 errata-xmlrpc 2017-08-01 19:23:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2083