Bug 845622

Summary: If an idenity certificate has expired, there should be a friendly error message
Product: Red Hat Enterprise Linux 5 Reporter: Bryan Kearney <bkearney>
Component: subscription-managerAssignee: William Poteat <wpoteat>
Status: CLOSED ERRATA QA Contact: Entitlement Bugs <entitlement-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.10CC: alikins, fsharath, jesusr, jgalipea, jsefler, mstead, sgao, wpoteat
Target Milestone: betaFlags: jgalipea: needinfo+
Target Release: 5.10   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 1.8.2 Doc Type: Bug Fix
Doc Text:
Cause: Unfriendly error messages being displayed to user. Consequence: The unfriendly error messages make it difficult to understand why something failed. Fix: Added verbiage to notify users that their identity certificate is expired. Result: Now users can see when their identity certificates are expired instead of trying to decipher a cryptic error message.
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-30 22:49:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 840995, 920191    

Description Bryan Kearney 2012-08-03 15:32:25 UTC
The error message shown to the users should be human readable.

Comment 1 gaoshang 2012-09-05 07:27:47 UTC
I would like to develop test case for the issue, but I can not get more detailed information over the issue, could you help provide the design details of it or detailed test steps on how to verify it?

Comment 2 Adrian Likins 2012-12-12 15:20:17 UTC
What kind of use case are users seeing bad error messages?

For gui stuff at least, we seem to equate an expired cert as
an invalid one, and treat it as unregistered. 

Do we have a suggested path for consumers to take when they
have an expired id cert?

Comment 3 Michael Stead 2013-01-11 17:43:12 UTC
Technically users shouldn't really see this that often since identity certs *should* get regenerated when the reach the expiry threshold.

I think the plan was to just clean up the error messages so that users were more aware as to why the SSL error happened.

Comment 4 William Poteat 2013-01-11 19:16:52 UTC
Subscription Manager commit 8ff80d6e3e7c259e3e089ac8052e6f66dd9e4776
Python-rhsm commit 030d4a7aa3f93f5b2a1709a71170170db597c833

gaoshang: The way I tested this was to register the system, then set the clocks forward after the expiration on the certificate.

Adrian: The error was just generic. The only way this scenario occurs is for the machine or rhsmcertd to be off during the expiration time. The path to take is a clean and re-register.

Comment 5 Bryan Kearney 2013-02-08 17:18:14 UTC
Fixed in the 1.8.2 version of subscription-manager or python-rhsm

Comment 6 RHEL Program Management 2013-04-09 20:54:29 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 7 Sharath Dwaral 2013-04-30 13:58:26 UTC
# rpm -qa | egrep "subscription-manager|python-rhsm"
subscription-manager-migration-1.8.6-1.git.7.96019b0.el5
python-rhsm-1.8.9-1.git.7.214419e.el5
subscription-manager-migration-data-1.11.2.7-1.git.0.1dfd00e.el5
subscription-manager-1.8.6-1.git.7.96019b0.el5
subscription-manager-firstboot-1.8.6-1.git.7.96019b0.el5
subscription-manager-gui-1.8.6-1.git.7.96019b0.el5

>>Candlepin: 
# date 
Tue Apr 30 9:40:13:80 EST 2013

>>Client:
# date 
Tue Apr 30 9:40:14:13 EST 2013

# subscription-manager register
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: 53515d90-94c0-451e-975e-d1c95f1447bb

# date --set "20430501"              >> Advancing date by 30 years
Fri May  1 00:00:00 EST 2043

>>Candlepin:
# date --set "20430501"              >> Advancing date by 30 years
Fri May  1 00:00:00 EDT 2043

>>Client:
# subscription-manager identity
Your identity certificate has expired

VERIFIED

Comment 8 Bryan Kearney 2013-09-09 17:11:47 UTC
sorry.. I missed the needinfo. It is verified, so I am clearing it now.

Comment 10 errata-xmlrpc 2013-09-30 22:49:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1332.html