Bug 993202

Summary: rhsm.conf default configuration server.ca_cert_dir should be moved to rhsm.ca_cert_dir
Product: Red Hat Enterprise Linux 5 Reporter: John Sefler <jsefler>
Component: subscription-managerAssignee: Carter Kozak <ckozak>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.10CC: bkearney, ckozak, jesusr, skallesh
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: By default we use interpolation for repo_ca_cert, it depends upon ca_cert_dir. ca_cert_dir was in a different section, which causes interpolation problems. Consequence: ca_cert_dir has been moved from the server section into rhsm. Default values will be used for ca_cert_dir and repo_ca_cert if ca_cert_dir is not present in the rhsm section, and repo_ca_cert uses interpolation (ex: %(ca_cert_dir)sredhat-uep.pem) Fix: Move the ca_cert_directory config line from the [server] section into [rhsm] Result: Functionality will remain the same as older versions
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-30 23:15:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 840995    

Description John Sefler 2013-08-05 16:56:40 UTC 
Description of problem:
After the fix for bug 988476 was implemented, it revealed that the rhsm.conf parameter for ca_cert_dir was in the wrong section.  Currectly it is located in the [server] section and it should be moved to the [rhsm] section.

Version-Release number of selected component (if applicable):
[root@jsefler-5 ~]# rpm -q python-rhsm subscription-manager
python-rhsm-1.8.16-1.el5
subscription-manager-1.8.16-1.el

How reproducible:


Steps to Reproduce:


[root@jsefler-5 ~]# cat /etc/rhsm/rhsm.conf
# Red Hat Subscription Manager Configuration File:

# Unified Entitlement Platform Configuration
[server]
# Server hostname:
hostname=subscription.rhn.redhat.com

# Server subscription:
prefix=/candlepin

# Server port:
port=443

# Set to 1 to disable certificate validation:
insecure=0

# Set the depth of certs which should be checked
# when validating a certificate
ssl_verify_depth = 3

# Server CA certificate location:    <============ MOVE THIS LINE UNDER [rhsm]
ca_cert_dir = /etc/rhsm/ca/          <============ MOVE THIS LINE UNDER [rhsm]

# an http proxy server to use
proxy_hostname =

# port for http proxy server
proxy_port =

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

[rhsm]
# Content base URL:
baseurl=https://cdn.redhat.com

# Default CA cert to use when generating yum repo configs:
repo_ca_cert=%(ca_cert_dir)sredhat-uep.pem

# Where the certificates should be stored
productCertDir=/etc/pki/product
entitlementCertDir=/etc/pki/entitlement
consumerCertDir=/etc/pki/consumer

# Manage generation of yum repositories for subscribed content:
manage_repos = 1

# If set to zero, the client will not report the package profile to
# the subscription management service.
report_package_profile = 1

# The directory to search for subscription manager plugins
pluginDir = /usr/share/rhsm-plugins

# The directory to search for plugin configuration files
pluginConfDir = /etc/rhsm/pluginconf.d

[rhsmcertd]
# Interval to run cert check (in minutes):
certCheckInterval = 240
# Interval to run auto-attach (in minutes):
autoAttachInterval = 1440






Additional info:
Reference file: /usr/lib64/python2.4/site-packages/rhsm/config.py
Comment 1 John Sefler 2013-08-05 17:07:41 UTC 
The reason I am setting this to HIGH severity is because if the user needs to change the ca_cert_dir value, his changes will be useless in the [server] section.  Moreover, the repo_ca_cert configuration in the [rshm] section of the config file defaults to repo_ca_cert=%(ca_cert_dir)sredhat-uep.pem which depends on ca_cert_dir, but it will remain set to it's default value no matter how much the user changes the ca_cert_dir in the [server] section.
Comment 2 Carter Kozak 2013-08-06 12:56:27 UTC 
commit ce1be44d159c3d5a8339274dd15e56455f35b845
Author: ckozak <ckozak>
Date:   Mon Aug 5 16:11:55 2013 -0400

    993202: fix default config, take advantage of rhsmconfig options
Comment 4 Shwetha Kallesh 2013-08-08 12:05:09 UTC 
Verified!!

[root@localhost ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: Unknown
subscription-manager: 1.8.19-1.el5
python-rhsm: 1.8.16-1.el5



[root@localhost ~]# cat /etc/rhsm/rhsm.conf
# Red Hat Subscription Manager Configuration File:

# Unified Entitlement Platform Configuration
[server]
# Server hostname:
hostname = subscription.rhn.redhat.com

# Server prefix:
prefix = /subscription

# Server port:
port = 443

# Set to 1 to disable certificate validation:
insecure = 0

# Set the depth of certs which should be checked
# when validating a certificate
ssl_verify_depth = 3

# an http proxy server to use
proxy_hostname =

# port for http proxy server
proxy_port =

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

[rhsm]
# Content base URL:
baseurl= https://cdn.redhat.com

# Server CA certificate location:
ca_cert_dir = /etc/rhsm/ca/   ------------> under [rhsm]

# Default CA cert to use when generating yum repo configs:
repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem

# Where the certificates should be stored
productCertDir = /etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer

# Manage generation of yum repositories for subscribed content:
manage_repos = 1

# If set to zero, the client will not report the package profile to
# the subscription management service.
report_package_profile = 1

# The directory to search for subscription manager plugins
pluginDir = /usr/share/rhsm-plugins

# The directory to search for plugin configuration files
pluginConfDir = /etc/rhsm/pluginconf.d

[rhsmcertd]
# Interval to run cert check (in minutes):
certCheckInterval = 240
# Interval to run auto-attach (in minutes):
autoAttachInterval = 1440
Comment 5 John Sefler 2013-08-15 22:12:27 UTC 
Warning: Although this bug is VERIFIED (for a new install of subscription-manager), if the user begins with an older rhsm.conf file where the ca_cert_dir has been changed from its default value in the original [server] section of the rhsm.conf file, an rpm upgrade to subscription-manager-1.8.19 will NOT transfer the non-default value to the [rhsm] section of the rhsm.conf file.  The result could be errors like "[Errno 14] Peer cert cannot be verified or peer cert invalid."  If this happens, then a manual solution is to edit /etc/rhsm/rhsm.conf and move the ca_cert_dir from the [server] to the [rhsm] section.
Comment 7 errata-xmlrpc 2013-09-30 23:15:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1332.html