Bug 2126981

Summary: [RFE] Improved error messages with subscription-manager
Product: Red Hat Enterprise Linux 9 Reporter: Pino Toscano <ptoscano>
Component: subscription-managerAssignee: Pino Toscano <ptoscano>
Status: CLOSED ERRATA QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: candlepin-bugs, fj-lsoft-tool-rh, jsefler, jvaldez, mfuruta, ptoscano, redakkan, rhsm-qe, rjerrido
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 9.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: subscription-manager-1.29.32-1.el9 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1971995 Environment:
Last Closed: 2023-05-09 08:18:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pino Toscano 2022-09-15 03:39:18 UTC 
+++ This bug was initially created as a clone of Bug #1971995 +++

In many cases with complex environments, especially those with proxy servers, users will get had to decipher error messages with subscription-manager. 

This RFE covers improving the sometimes cryptic error messages of

“Invalid credentials.”
• Corresponded KBase as https://access.redhat.com/solutions/2435981

And 
“Network error. Please check the connection details, or see /var/log/rhsm/rhsm.log
for more information.”
• Corresponded KBase as https://access.redhat.com/articles/4398051

In both scenarios, additional troubleshooting steps could be provided in the error message itself. 

Alternatively, the error message can direct the user to the corresponding KCS document.

--- Additional comment from Pino Toscano on 2022-09-15 05:36:32 CEST ---

Following an internal team discussion, we decided to improve some of the error messages to print more information on what actually happened. This should be hopefully helpful and actionable for users.

In particular, this BZ will cover the following cases:


* "Network error, unable to connect to server. Please see ..."

This represents a number of network related issues.

For any error related to the network name resolution, the proposed error message is:
| Network error: <error message> (error code <error code>)

for example:
| Network error: Name or service not known (error code -2)

For any error related to the network connection itself, the proposed error message is:
| Connection error: <error message> (error code <error code>)

for example:
| Connection error: Connection refused (error code 111)

In both cases, the error message/code is as reported by the low level network bits in the Linux stack.


* "Network error. Please check the connection details, ..."

Despite the "network” mention, this represents a reply from the server in case the content cannot be parsed as JSON, and the HTTP error code is different than 200, 202, 204, 304, 401, 403, 404, 410, 429, 500, 502, 503, 504.

In case there is a content in the server reply, the proposed error message is:
| Unknown server reply (HTTP error code <error code>: <error message>):
| <content>

for example:
| Unknown server reply (HTTP error code 400: Bad Request):
| <html>
| <body>
| [etc]

In case there is no content in the server reply, the proposed error message is:
| Unknown server reply (HTTP error code <error code>: <error message>)

for example:
| Unknown server reply (HTTP error code 400: Bad Request)


* "Proxy connection failed, please check your settings."

This represents errors related to the connection to the proxy server.

For any error related to the network name resolution of the proxy server, the proposed error message is:
| Proxy error: proxy_hostname:proxy_port: <error message> (error code <error code>)

for example:
| Proxy error: proxy_hostname:proxy_port: Name or service not known (error code -2)

For any error related to the connection to the proxy server, the proposed error message is:
| Proxy error: unable to connect to proxy_hostname:proxy_port: <error message> (error code <error code>)

for example:
| Proxy error: unable to connect to proxy_hostname:proxy_port: Connection refused (error code 111)

The error message/code is as reported by the low level network bits in the Linux stack.


* "Unable to reach the server at <host>:<port>/<path>”

This error is printed when the initial connection to the entitlement server cannot be established; usually they refer to proxy errors.

For any error related to the connection to the proxy server, the proposed error message is:
| Unable to reach the server at hostname:port/path: <error message>

for example:
| Unable to reach the server at hostname:port/path: Tunnel connection failed: 500 Unable to connect
| Unable to reach the server at hostname:port/path: Tunnel connection failed: 407 Proxy Authentication Required


* "Bad CA certificate: <file>”

This error is printed when any of the .pem files in the CA directory of subscription-manager (the default is /etc/rhsm/ca/) is not a valid PEM file with certificates. This generally should not happen, unless a custom faulty certificate is added to that directory.

The proposed error message is:
| Bad CA certificate: <file>: <error message>

for example:
| Bad CA certificate: <file>: [X509] no certificate or crl found (_ssl.c:3771)

The error message is what is reported by the Python ssl module or OpenSSL directly.


* "System certificates corrupted. Please reregister."

This error is printed when any of the products .pem files in /etc/pki/product-default/ is not a valid PEM file with certificates. This generally should not happen, as the certificates in that directory are provided by Red Hat.

The proposed error message is:
| Bad product certificate: <file>: <error message>

for example:
| Bad product certificate: <file>: [X509] no certificate or crl found (_ssl.c:3771)

The error message is what is reported by the Python ssl module or OpenSSL directly.
Comment 1 John Sefler 2022-11-29 18:27:38 UTC 
Preliminary testing with proxy servers, a local Candlepin with TESTDATA deployed, and component version 1.29.31+39...
[root@kvm-04-guest02 ~]# rpm -q subscription-manager
subscription-manager-1.29.31+39.g3e3e9aadd-1.git.0.7d023af.x86_64
[root@kvm-04-guest02 ~]# subscription-manager config --server.hostname=jsefler-cp0.usersys.redhat.com
[root@kvm-04-guest02 ~]# subscription-manager config --server.prefix=/candlepin
[root@kvm-04-guest02 ~]# subscription-manager config --server.port=8443


Using the "Improved subscription-manager error messages" design document as the structure for this pre-verification...


> Pre-verifying improvements for old error message: Network error, unable to connect to server. Please see /var/log/rhsm/rhsm.log for more information

[root@kvm-04-guest02 ~]# subscription-manager config --server.hostname=jsefler-cp0.usersys.redhat.com.BAD
[root@kvm-04-guest02 ~]# subscription-manager register --username=testuser1 --org=admin
Registering to: jsefler-cp0.usersys.redhat.com.BAD:8443/candlepin
Password: 
Network error: Name or service not known (error code -2)   <==== PRE-VERIFIED
[root@kvm-04-guest02 ~]# echo $?
70
[root@kvm-04-guest02 ~]# subscription-manager config --server.hostname=jsefler-cp0.usersys.redhat.com

[root@kvm-04-guest02 ~]# subscription-manager config --server.port=0
[root@kvm-04-guest02 ~]# subscription-manager register --username=testuser1 --org=admin
Registering to: jsefler-cp0.usersys.redhat.com:0/candlepin
Password: 
Connection error: Connection refused (error code 111)   <==== PRE-VERIFIED
[root@kvm-04-guest02 ~]# echo $?
70
[root@kvm-04-guest02 ~]# subscription-manager config --server.port=8443


> Pre-verifying improvements for old error message: Network error. Please check the connection details, or see /var/log/rhsm/rhsm.log for more information.

RISK: I was unable to pre-verify the improved message "Unknown server reply (HTTP error code <error code>: <error message>)" because I could not figure out a way to force the server to reply with non-json.


> Pre-verifying improvements for old error message: Proxy connection failed, please check your settings.

[root@kvm-04-guest02 ~]# subscription-manager register --proxy=BAD
Proxy error: unable to connect to BAD:3128: Name or service not known (error code -2)   <==== PRE-VERIFIED
[root@kvm-04-guest02 ~]# echo $?
69

[root@kvm-04-guest02 ~]# subscription-manager register --proxy=auto-services.usersys.redhat.com:9999
Proxy error: unable to connect to auto-services.usersys.redhat.com:9999: Connection refused (error code 111)   <==== PRE-VERIFIED
[root@kvm-04-guest02 ~]# echo $?
69


> Pre-verifying improvements for old error message: Unable to reach the server at <host>:<port>/<path>

[root@kvm-04-guest02 ~]# subscription-manager register --proxy=auto-services.usersys.redhat.com:3127 --proxyuser=BAD
Unable to reach the server at jsefler-cp0.usersys.redhat.com:8443/candlepin: Tunnel connection failed: 407 Proxy Authentication Required   <==== PRE-VERIFIED
[root@kvm-04-guest02 ~]# echo $?
69


> Pre-verifying improvements for old error message: Bad CA certificate: <file>

[root@kvm-04-guest02 ~]# touch /etc/rhsm/ca/bad-cert.pem
[root@kvm-04-guest02 ~]# subscription-manager register --username=testuser1
Registering to: jsefler-cp0.usersys.redhat.com:8443/candlepin
Password: 
Bad CA certificate: /etc/rhsm/ca/bad-cert.pem: [X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4293)   <==== PRE-VERIFIED
[root@kvm-04-guest02 ~]# echo $?
70
[root@kvm-04-guest02 ~]# rm -f /etc/rhsm/ca/bad-cert.pem


> Pre-verifying improvements for old error message: System certificates corrupted. Please reregister.

[root@kvm-04-guest02 ~]# touch /etc/pki/product/bad-cert.pem
[root@kvm-04-guest02 ~]# subscription-manager list --installed
Bad certificate: /etc/pki/product/bad-cert.pem: [PEM routines] no start line   <==== PRE-VERIFIED
[root@kvm-04-guest02 ~]# echo $?
70
[root@kvm-04-guest02 ~]# rm -f /etc/pki/product/bad-cert.pem
Comment 7 John Sefler 2023-01-19 23:09:45 UTC 
Moving to VERIFIED based on automated test results in comment 6 and manually pre-verified results comment 1.
Comment 8 John Sefler 2023-01-31 14:26:31 UTC 
(In reply to John Sefler from comment #1)
> RISK: I was unable to pre-verify the improved message "Unknown server reply (HTTP error code <error code>: <error message>)" because I could not figure out a way to force the server to reply with non-json.

In response to the RISK comment above, a fellow colleague encountered this scenario while using the main subscription-manager branch at commit level 5d188e588cc2a0c7315767c4afd379a3ac18b757 and demonstrated the improved error message as shown here...

$ subscription_manager register --force
Unregistering from: subscription.rhsm.stage.redhat.com:443/subscription
Unknown server reply (HTTP error code 400: Bad Request):
<html><13>
<head><title>400 The SSL certificate error</title></head><13>
<body><13>
<center><h1>400 Bad Request</h1></center><13>
<center>The SSL certificate error</center><13>
<hr><center>openresty</center><13>
</body><13>
</html><13>
Comment 10 errata-xmlrpc 2023-05-09 08:18:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2493