Bug 2076522
| Summary: | RFE: For dnf operations against Red Hat CDN, enable OCSP stapling verification | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Rehana <redakkan> | |
| Component: | subscription-manager | Assignee: | Pino Toscano <ptoscano> | |
| Status: | CLOSED ERRATA | QA Contact: | Red Hat subscription-manager QE Team <rhsm-qe> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.6 | CC: | candlepin-bugs, cdonnell, jpazdziora, jsefler, jwboyer, lmiksik, ptoscano, redakkan, rhsm-qe, toneata, zpetrace | |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged | |
| Target Release: | 8.7 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | subscription-manager-1.28.31-1.el8 | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 2075455 | |||
| : | 2079848 (view as bug list) | Environment: | ||
| Last Closed: | 2022-11-08 10:48:23 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 2075455 | |||
| Bug Blocks: | 2079848 | |||
SUB-MAN version: [root@kvm-01-guest21 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: 4.0.18-2 subscription management rules: 5.41 subscription-manager: 1.28.31-1.el8 1.scenario: copying certs: [root@newcandlepin ~]# scp /etc/candlepin/certs/candlepin-ca.crt root.eng.brq.redhat.com:/etc/rhsm/ca/candlepin-ca.pem root.eng.brq.redhat.com's password: [root@newcandlepin ~]# scp /etc/candlepin/certs/candlepin-ca.crt root.eng.brq.redhat.com:/etc/rhsm/ca/candlepin-ca.pem The authenticity of host 'kvm-01-guest21.lab.eng.brq.redhat.com (10.37.153.134)' can't be established. ECDSA key fingerprint is SHA256:qQZTUMovmQKmrzvdHUOshSLDDm1bfsML8G7NJlxuOWA. ECDSA key fingerprint is MD5:28:f2:76:0f:60:18:9a:33:a5:ee:6a:b4:f3:45:c5:61. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'kvm-01-guest21.lab.eng.brq.redhat.com,10.37.153.134' (ECDSA) to the list of known hosts. root.eng.brq.redhat.com's password: candlepin-ca.crt 100% 2029 12.2KB/s 00:00 [root@newcandlepin ~]# scp /home/candlepin/candlepin/generated_certs/3* kvm-01-guest21.lab.eng.brq.redhat.com:/etc/pki/product/ root.eng.brq.redhat.com's password: 32060.pem 100% 2090 12.7KB/s 00:00 37060.pem 100% 2078 12.6KB/s 00:00 37062.pem 100% 2098 12.4KB/s 00:00 37065.pem 100% 2082 12.7KB/s 00:00 37067.pem 100% 2090 12.6KB/s 00:00 37068.pem 100% 2094 12.5KB/s 00:00 37069.pem 100% 2082 12.5KB/s 00:00 37070.pem 100% 2090 12.7KB/s 00:00 37080.pem 100% 2078 12.6KB/s 00:00 37090.pem 100% 2074 12.6KB/s 00:00 37091.pem 100% 2074 12.6KB/s 00:00 38070.pem 100% 2074 12.6KB/s 00:00 38072.pem 100% 2061 12.5KB/s 00:00 registering: [root@kvm-01-guest21 ~]# subscription-manager register Registering to: 10.70.35.79:8443/candlepin Username: admin Password: Hint: User "admin" is member of following organizations: admin, snowwhite, donaldduck Organization: admin The system has been registered with ID: 2550dbcf-55d8-4cce-8706-702dc1353747 The registered system name is: kvm-01-guest21.lab.eng.brq.redhat.com ^sslverifystatus is set there --> PASSED 2.scenario: Certificates were already copied so I skipped that here [root@kvm-01-guest21 yum.repos.d]# cat redhat.repo # # Certificate-Based Repositories # Managed by (rhsm) subscription-manager # # *** This file is auto-generated. Changes made here will be over-written. *** # *** Use "subscription-manager repo-override --help" if you wish to make changes. *** # # If this file is empty and this system is subscribed consider # a "yum repolist" to refresh available repos # [content-label-no-gpg-32060] name = content-nogpg-32060 baseurl = https://cdn.redhat.com/foo/path/no_gpg/32060234 enabled = 0 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/1668783483455714074-key.pem sslclientcert = /etc/pki/entitlement/1668783483455714074.pem sslverifystatus = 1 enabled_metadata = 0 [root@kvm-01-guest21 ~]# grep has_ssl_verify_status repolib.py has_ssl_verify_status = self.get_consumer_auth_cp().has_capability("ssl_verify_status") has_ssl_verify_status = False [root@kvm-01-guest21 ~]# yum repolist . . [root@kvm-01-guest21 ~]# cat /etc/yum.repos.d/redhat.repo . . . [content-label-no-gpg-32060] name = content-nogpg-32060 baseurl = https://cdn.redhat.com/foo/path/no_gpg/32060234 enabled = 0 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/1668783483455714074-key.pem sslclientcert = /etc/pki/entitlement/1668783483455714074.pem sslverifystatus = 0 enabled_metadata = 0 ^sslverifystatus was set to 0 after manually configuring repolib.py --> PASSED 3.scenario: [root@kvm-01-guest21 ~]# subscription-manager config --server.proxy_hostname=auto-services.usersys.redhat.com --server.proxy_port=3127 --server.proxy_user=redhat --server.proxy_password=redhat --server.proxy_scheme=https registering: [root@kvm-01-guest21 ~]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracePH03 Password: The system has been registered with ID: 762b0e86-7aab-4d8c-bcd8-abe30ba51a9b The registered system name is: kvm-01-guest21.lab.eng.brq.redhat.com [root@kvm-01-guest21 ~]# grep has_ssl_verify_status /usr/lib64/python3.6/site-packages/subscription_manager/repolib.py has_ssl_verify_status = self.get_consumer_auth_cp().has_capability("ssl_verify_status") has_ssl_verify_status = False [zpetracek@ibm-p8-02 ~]$ ssh root.redhat.com Activate the web console with: systemctl enable --now cockpit.socket Last login: Fri Jul 1 17:39:22 2022 from 10.22.16.18 [root@kvm-01-guest21 ~]# yum install zsh . . . Total 15 MB/s | 2.9 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : zsh-5.5.1-10.el8.x86_64 1/1 Running scriptlet: zsh-5.5.1-10.el8.x86_64 1/1 Verifying : zsh-5.5.1-10.el8.x86_64 1/1 Installed: zsh-5.5.1-10.el8.x86_64 Complete! ^ when connected to proxy server I was able to see the traffic --> PASSED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:7719 |
Pre-verification: version: [root@kvm-01-guest05 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: 3.2.22-1 subscription management rules: 5.41 subscription-manager: 1.28.30+22.g6b7192ef5-1.git.0.c1d69c7 1.scenario: copying certs: [root@newcandlepin ~]# scp /etc/candlepin/certs/candlepin-ca.crt kvm-01-guest05.lab.eng.brq.redhat.com:/etc/rhsm/ca/candlepin-caem The authenticity of host 'kvm-01-guest05.lab.eng.brq.redhat.com (10.37.153.118)' can't be established. ECDSA key fingerprint is SHA256:49Xy7SJw4OsriCd4HbDev92q+rZmVgFBGsOuYAik0p0. ECDSA key fingerprint is MD5:73:f1:80:76:f5:01:d0:21:36:06:a8:2a:47:04:79:71. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'kvm-01-guest05.lab.eng.brq.redhat.com,10.37.153.118' (ECDSA) to the list of known hosts. root.eng.brq.redhat.com's password: candlepin-ca.crt 100% 2029 11.7KB/s 00:00 scp /home/candlepin/candlepin/generated_certs/3* kvm-01-guest05.lab.eng.brq.redhat.com:/etc/pki/product/ root.eng.brq.redhat.com's password: 32060.pem 100% 2090 12.2KB/s 00:00 37060.pem 100% 2078 11.1KB/s 00:00 37062.pem 100% 2098 12.7KB/s 00:00 37065.pem 100% 2082 12.2KB/s 00:00 37067.pem 100% 2090 12.7KB/s 00:00 37068.pem 100% 2094 12.7KB/s 00:00 37069.pem 100% 2082 12.7KB/s 00:00 37070.pem 100% 2090 12.7KB/s 00:00 37080.pem 100% 2078 12.7KB/s 00:00 37090.pem 100% 2074 12.6KB/s 00:00 37091.pem 100% 2074 12.6KB/s 00:00 38070.pem 100% 2074 12.0KB/s 00:00 38072.pem 100% 2061 12.4KB/s 00:00 registering: [root@kvm-01-guest05 ~]# subscription-manager register Registering to: 10.70.35.79:8443/candlepin Username: admin Password: Hint: User "admin" is member of following organizations: admin, snowwhite, donaldduck Organization: admin The system has been registered with ID: e811ed6e-690c-4fec-ac51-82354bb03273 The registered system name is: kvm-01-guest05.lab.eng.brq.redhat.com [root@kvm-01-guest05 yum.repos.d]# cat redhat.repo . . . sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/839396439667318030-key.pem sslclientcert = /etc/pki/entitlement/839396439667318030.pem sslverifystatus = 1 enabled_metadata = 0 ^sslverify status is set there --> PASSED 2.scenario: copying certs: [root@newcandlepin ~]# scp /etc/candlepin/certs/candlepin-ca.crt kvm-01-guest05.lab.eng.brq.redhat.com:/etc/rhsm/ca/candlepin-caem The authenticity of host 'kvm-01-guest05.lab.eng.brq.redhat.com (10.37.153.118)' can't be established. ECDSA key fingerprint is SHA256:49Xy7SJw4OsriCd4HbDev92q+rZmVgFBGsOuYAik0p0. ECDSA key fingerprint is MD5:73:f1:80:76:f5:01:d0:21:36:06:a8:2a:47:04:79:71. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'kvm-01-guest05.lab.eng.brq.redhat.com,10.37.153.118' (ECDSA) to the list of known hosts. root.eng.brq.redhat.com's password: candlepin-ca.crt 100% 2029 11.7KB/s 00:00 scp /home/candlepin/candlepin/generated_certs/3* kvm-01-guest05.lab.eng.brq.redhat.com:/etc/pki/product/ root.eng.brq.redhat.com's password: 32060.pem 100% 2090 12.2KB/s 00:00 37060.pem 100% 2078 11.1KB/s 00:00 37062.pem 100% 2098 12.7KB/s 00:00 37065.pem 100% 2082 12.2KB/s 00:00 37067.pem 100% 2090 12.7KB/s 00:00 37068.pem 100% 2094 12.7KB/s 00:00 37069.pem 100% 2082 12.7KB/s 00:00 37070.pem 100% 2090 12.7KB/s 00:00 37080.pem 100% 2078 12.7KB/s 00:00 37090.pem 100% 2074 12.6KB/s 00:00 37091.pem 100% 2074 12.6KB/s 00:00 38070.pem 100% 2074 12.0KB/s 00:00 38072.pem 100% 2061 12.4KB/s 00:00 registering: [root@kvm-01-guest05 ~]# subscription-manager register Registering to: 10.70.35.79:8443/candlepin Username: admin Password: Hint: User "admin" is member of following organizations: admin, snowwhite, donaldduck Organization: admin The system has been registered with ID: e811ed6e-690c-4fec-ac51-82354bb03273 The registered system name is: kvm-01-guest05.lab.eng.brq.redhat.com [root@kvm-01-guest05 yum.repos.d]# cat redhat.repo . . . sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/839396439667318030-key.pem sslclientcert = /etc/pki/entitlement/839396439667318030.pem sslverifystatus = 1 enabled_metadata = 0 [root@kvm-01-guest05 subscription_manager]# grep has_ssl_verify_status repolib.py has_ssl_verify_status = self.get_consumer_auth_cp().has_capability("ssl_verify_status") has_ssl_verify_status = False [root@kvm-01-guest05 subscription_manager]# yum repolist . . [root@kvm-01-guest05 ~]# cat /etc/yum.repos.d/redhat.repo . . . [content-label-no-gpg-32060] name = content-nogpg-32060 baseurl = https://cdn.redhat.com/foo/path/no_gpg/32060234 enabled = 0 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/849263844005999079-key.pem sslclientcert = /etc/pki/entitlement/849263844005999079.pem sslverifystatus = 0 enabled_metadata = 0 ^sslverifystatus was set to 0 after manually configuring repolib.py --> PASSED 3.scenario: [root@kvm-01-guest05 ~]# subscription-manager config --server.proxy_hostname=auto-services.usersys.redhat.com --server.proxy_port=3127 --server.proxy_user=redhat --server.proxy_password=redhat --server.proxy_scheme=https [root@kvm-01-guest05 ~]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracePH03 Password: The system has been registered with ID: c573e4ab-4e3c-4909-bac9-dc1f7607a3fc The registered system name is: kvm-01-guest05.lab.eng.brq.redhat.com [root@kvm-01-guest05 subscription_manager]# grep has_ssl_verify_status /usr/lib64/python3.6/site-packages/subscription_manager/repolib.py has_ssl_verify_status = self.get_consumer_auth_cp().has_capability("ssl_verify_status") if has_ssl_verify_status: has_ssl_verify_status = False [zpetracek@fedora ~]$ ssh root.redhat.com The authenticity of host 'auto-services.usersys.redhat.com (10.8.30.63)' can't be established. ED25519 key fingerprint is SHA256:oiv0PSJXlOdzfc1F8/mk82Gd+mfUukV58jPUf7O02HE. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'auto-services.usersys.redhat.com' (ED25519) to the list of known hosts. sign_and_send_pubkey: signing failed for ECDSA "rhsm-qe.redhat.com" from agent: agent refused operation root.redhat.com's password: Activate the web console with: systemctl enable --now cockpit.socket Last login: Sun Jun 12 11:27:30 2022 from 10.22.32.68 [root@kvm-01-guest05 subscription_manager]# yum install zsh . . Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : zsh-5.5.1-10.el8.x86_64 1/1 Running scriptlet: zsh-5.5.1-10.el8.x86_64 1/1 Verifying : zsh-5.5.1-10.el8.x86_64 1/1 Installed: zsh-5.5.1-10.el8.x86_64 Complete! ^ when connected to proxy server I was able to see the traffic --> PASSED