Bug 624757

Summary: unable to register to hosted candlepin1 w/ secure mode
Product: Red Hat Enterprise Linux 6 Reporter: wes hayutin <whayutin>
Component: subscription-managerAssignee: Bryan Kearney <bkearney>
Status: CLOSED ERRATA QA Contact: wes hayutin <whayutin>
Severity: medium Docs Contact:
Priority: low    
Version: 6.1CC: bkearney, jsefler, shaines
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:42:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 568421    

Description wes hayutin 2010-08-17 16:41:35 UTC 
**local certs on rhsm client

[root@client02-rhel6-beta2 candlepin]# ll
total 16
-rw-r--r--. 1 root root 1017 Aug 17 12:31 candlepin-ca.crt
-rw-r--r--. 1 root root  891 Aug 17 12:31 candlepin-ca.key
-rw-r--r--. 1 root root    7 Aug 17 12:31 candlepin-ca-password.txt
-rw-r--r--. 1 root root 1017 Aug 17 12:31 candlepin-upstream-ca.crt
[root@client02-rhel6-beta2 candlepin]# md5sum candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-ca.crt
[root@client02-rhel6-beta2 candlepin]# md5sum candlepin-upstream-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-upstream-ca.crt


**rhsm conf

# Flag to enable Unsupported entitlement pools in GUI
# change this value to 1 to enable this option
showIncompatiblePools = 0
#candlepin_ca_file=/etc/pki/candlepin/candlepin-ca.crt
candlepin_ca_file=/etc/pki/candlepin/candlepin-upstream-ca.crt

**certs on candlepin1 server

&&[root@candlepin1 certs]# md5sum /etc/candlepin/certs/candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  /etc/candlepin/certs/candlepin-ca.crt
[root@candlepin1 certs]# md5sum /etc/candlepin/certs/candlepin-upstream-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  /etc/candlepin/certs/candlepin-upstream-ca.crt
[root@candlepin1 certs]# 

**[root@client02-rhel6-beta2 src]# ./subscription-manager-cli register --username=xeops --pass=redhat 
certificate verify failed
[root@client02-rhel6-beta2 src]# 

** changed local rhsm conf
# change this value to 1 to enable this option
showIncompatiblePools = 0
candlepin_ca_file=/etc/pki/candlepin/candlepin-ca.crt
#candlepin_ca_file=/etc/pki/candlepin/candlepin-upstream-ca.crt

[root@client02-rhel6-beta2 src]# ./subscription-manager-cli register --username=xeops --pass=redhat 
certificate verify failed


Trace in rhsm log
   self.connect()
  File "/usr/lib/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 181, in connect
    ret = self.connect_ssl()
  File "/usr/lib/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 174, in connect_ssl
    return m2.ssl_connect(self.ssl, self._timeout)
SSLError: certificate verify failed



I'm thinking this should work.. it was working..

rhsm @ commit d54ab44d2acc62e97eff351a4a1dfa5ea148aee7
Comment 1 Ajay Kumar Nadathur Sreenivasan 2010-09-01 17:15:50 UTC 
Not reproducible. 
 I believe the server was not restarted after the certificates were changed.
Comment 2 John Sefler 2010-09-08 16:53:54 UTC 
Verifying ....


On the IT candlepin server:
[root@candlepin1 certs]# hostname
candlepin1.devlab.phx1.redhat.com
[root@candlepin1 certs]# pwd
/etc/candlepin/certs
[root@candlepin1 certs]# ls
candlepin-ca.crt  candlepin-ca-password.txt
candlepin-ca.key  candlepin-upstream-ca.crt
[root@candlepin1 certs]# md5sum candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-ca.crt


On my client:
[root@jsefler-rhel6-consumer01 ~]# rpm -q subscription-manager
subscription-manager-0.75-1.git.29.c3b1d88.fc12.i386

[root@jsefler-rhel6-consumer01 ~]# mkdir /tmp/certs
[root@jsefler-rhel6-consumer01 ~]# cd /tmp/certs
[root@jsefler-rhel6-consumer01 certs]# scp root.phx1.redhat.com:/etc/candlepin/certs/candlepin* .
The authenticity of host 'candlepin1.devlab.phx1.redhat.com (10.7.12.17)' can't be established.
RSA key fingerprint is 7d:93:22:a8:48:d2:31:13:f1:41:48:6c:a8:44:40:41.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'candlepin1.devlab.phx1.redhat.com,10.7.12.17' (RSA) to the list of known hosts.
root.phx1.redhat.com's password: 
candlepin-ca.crt                                                                                                           100% 1017     1.0KB/s   00:00    
candlepin-ca.key                                                                                                           100%  891     0.9KB/s   00:00    
candlepin-ca-password.txt                                                                                                  100%    7     0.0KB/s   00:00    
candlepin-upstream-ca.crt                                                                                                  100% 1017     1.0KB/s   00:00    
[root@jsefler-rhel6-consumer01 certs]# md5sum candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-ca.crt

[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep hostname
hostname=candlepin1.devlab.phx1.redhat.com
[root@jsefler-rhel6-consumer01 certs]# vi /etc/rhsm/rhsm.conf   (FLIP THE FLAG FOR INSECURE TO 0)
[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep insecure
# Flip this flag to 1 to Enable insecure mode.
insecure=0
[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep candlepin_ca_file
candlepin_ca_file = None
[root@jsefler-rhel6-consumer01 certs]# subscription-manager-cli register --username=xeops --password=redhat
certificate verify failed

FAILED (as expected)

[root@jsefler-rhel6-consumer01 certs]# vi /etc/rhsm/rhsm.conf   (FLIP THE VALUE FOR CANDLEPIN_CA_FILE TO /tmp/certs/candlepin-ca.crt)
[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep candlepin_ca_file
candlepin_ca_file = /tmp/certs/candlepin-ca.crt
[root@jsefler-rhel6-consumer01 certs]# subscription-manager-cli register --username=xeops --password=redhat
ee2c1013-c872-45eb-8cdd-3f39b3005ac2 xeops

SUCCESS

[root@jsefler-rhel6-consumer01 ~]# tail -f /var/log/rhsm/rhsm.log
2010-09-08 12:46:36,150 [INFO] __init__() @connection.py:136 - Connection Established: host: candlepin1.devlab.phx1.redhat.com, port: 443, handler: /candlepin
2010-09-08 12:46:36,151 [INFO] __init__() @connection.py:137 - Connection using cert_file: /etc/pki/consumer/cert.pem, key_file: /etc/pki/consumer/key.pem, ca_file: /tmp/certs/candlepin-ca.crt insecure_mode: False


SUCCESS: We registered in secure mode with the ca_file: /tmp/certs/candlepin-ca.crt
Moving to VERIFIED
Comment 4 errata-xmlrpc 2011-05-19 13:42:06 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0611.html