| Summary: | subscription manager installs broken certs | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | J.C. Molet <jmolet> | ||||||
| Component: | subscription-manager | Assignee: | Devan Goodwin <dgoodwin> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | J.C. Molet <jmolet> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 6.1 | CC: | dgoodwin, spandey | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 702075 (view as bug list) | Environment: | |||||||
| Last Closed: | 2011-05-19 13:40:46 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 568421, 702075 | ||||||||
| Attachments: |
|
||||||||
Two phases to the fix, first don't choke on bad entitlement certs when running the app: python-rhsm master:260a305688981a9fce90db30620b2789972187f5 python-rhsm RHEL6: 59b23524a7c5b8287b98312b379a44cba9c73572 python-rhsm RHEL5.7: 44f10dfb565ecc7065c71c1e366238a0f3ce9986 Second check if a cert is valid before dropping it onto the filesystem: subscription-manager master: 259f019bddcf6a58105758415f652d0b3d3ed369 subscription-manager RHEL6: 259f019bddcf6a58105758415f652d0b3d3ed369 subscription-manager RHEL5.7: 6fe888f7e8f72eebd126f2a8350da3ad529e06b1 Failed to push to RHEL6 branch of Subscription Manager, new git hash is: fd5a9c6a5423cfb5b8c8ce33fd21024e3361c07d Created attachment 490344 [details]
gui fix
2011-04-06 13:04:31,532 [WARNING] bogus() @certificate.py:306 - No product information in certificate: 1130038221894632
2011-04-06 13:04:31,532 [ERROR] _import_button_clicked() @importsub.py:82 - Error parsing manually imported entitlement certificate: /root/Downloads/836cc0f7-7a60-4a8a-b26b-3d5b9768cfc3.pem
2011-04-06 13:04:31,532 [ERROR] _import_button_clicked() @importsub.py:83 - Invalid X509 entitlement certificate.
Traceback (most recent call last):
File "/usr/share/rhsm/gui/importsub.py", line 79, in _import_button_clicked
raise Exception("Invalid X509 entitlement certificate.")
Exception: Invalid X509 entitlement certificate.
This is the expected behavior for importing an invalid cert. This bug has been VERIFIED.
subscription-manager-gnome-0.95.6-1.git.2.58bb724.el6.x86_64
subscription-manager-0.95.6-1.git.2.58bb724.el6.x86_64
python-rhsm-0.95.6-1.git.0.b36d0a5.el6.noarch
subscription-manager-firstboot-0.95.6-1.git.2.58bb724.el6.x86_64
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0611.html |
Created attachment 488443 [details] importing invalid certs Description of problem: When importing an invalid or broken certificate, subscription-manager throws a traceback (expected), but it goes ahead and installs the cert in the /etc/pki/entitlements directory anyway. This causes subscription manager to crash upon all subsequent start-ups. Version-Release number of selected component (if applicable): subscription-manager-gnome-0.95.5-1.git.26.ce6d87f.el6.x86_64 subscription-manager-0.95.5-1.git.26.ce6d87f.el6.x86_64 subscription-manager-firstboot-0.95.5-1.git.26.ce6d87f.el6.x86_64 python-rhsm-0.95.5-1.git.0.0bfdb97.el6.noarch Steps to Reproduce: 1. Install subscription-manager-gui 2. Obtain an invalid or broken x509 cert. (I used an identity cert from the web subscription manager in stage). 3. Using rhsm-gui, use the import cert tool and import this cert. 4. Watch rhsm throw a traceback. 5. Close the rhsm-gui. 6. Start the gui back up. Actual results: See attachment for logs/stack trace of broken imported cert. [root@jmolet-vm3 Desktop]# subscription-manager-gui (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: Unexpected element <property> inside <widget>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. 'list' object has no attribute 'getStart' [root@jmolet-vm3 Desktop]# subscription-manager list --available 'list' object has no attribute 'getStart' Also, the cert is installed in /etc/pki/entitlements/ Expected results: The invalid cert is rejected from being installed and doesn't cause these problems. Additional info: This also breaks the cli tool.