Bug 993202
Summary: | rhsm.conf default configuration server.ca_cert_dir should be moved to rhsm.ca_cert_dir | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | John Sefler <jsefler> |
Component: | subscription-manager | Assignee: | Carter Kozak <ckozak> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 5.10 | CC: | bkearney, ckozak, jesusr, skallesh |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
By default we use interpolation for repo_ca_cert, it depends upon ca_cert_dir. ca_cert_dir was in a different section, which causes interpolation problems.
Consequence:
ca_cert_dir has been moved from the server section into rhsm. Default values will be used for ca_cert_dir and repo_ca_cert if ca_cert_dir is not present in the rhsm section, and repo_ca_cert uses interpolation (ex: %(ca_cert_dir)sredhat-uep.pem)
Fix:
Move the ca_cert_directory config line from the [server] section into [rhsm]
Result:
Functionality will remain the same as older versions
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-30 23:15:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 840995 |
Description
John Sefler
2013-08-05 16:56:40 UTC
The reason I am setting this to HIGH severity is because if the user needs to change the ca_cert_dir value, his changes will be useless in the [server] section. Moreover, the repo_ca_cert configuration in the [rshm] section of the config file defaults to repo_ca_cert=%(ca_cert_dir)sredhat-uep.pem which depends on ca_cert_dir, but it will remain set to it's default value no matter how much the user changes the ca_cert_dir in the [server] section. commit ce1be44d159c3d5a8339274dd15e56455f35b845 Author: ckozak <ckozak> Date: Mon Aug 5 16:11:55 2013 -0400 993202: fix default config, take advantage of rhsmconfig options Verified!! [root@localhost ~]# subscription-manager version server type: Red Hat Subscription Management subscription management server: Unknown subscription-manager: 1.8.19-1.el5 python-rhsm: 1.8.16-1.el5 [root@localhost ~]# cat /etc/rhsm/rhsm.conf # Red Hat Subscription Manager Configuration File: # Unified Entitlement Platform Configuration [server] # Server hostname: hostname = subscription.rhn.redhat.com # Server prefix: prefix = /subscription # Server port: port = 443 # Set to 1 to disable certificate validation: insecure = 0 # Set the depth of certs which should be checked # when validating a certificate ssl_verify_depth = 3 # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = [rhsm] # Content base URL: baseurl= https://cdn.redhat.com # Server CA certificate location: ca_cert_dir = /etc/rhsm/ca/ ------------> under [rhsm] # Default CA cert to use when generating yum repo configs: repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem # Where the certificates should be stored productCertDir = /etc/pki/product entitlementCertDir = /etc/pki/entitlement consumerCertDir = /etc/pki/consumer # Manage generation of yum repositories for subscribed content: manage_repos = 1 # If set to zero, the client will not report the package profile to # the subscription management service. report_package_profile = 1 # The directory to search for subscription manager plugins pluginDir = /usr/share/rhsm-plugins # The directory to search for plugin configuration files pluginConfDir = /etc/rhsm/pluginconf.d [rhsmcertd] # Interval to run cert check (in minutes): certCheckInterval = 240 # Interval to run auto-attach (in minutes): autoAttachInterval = 1440 Warning: Although this bug is VERIFIED (for a new install of subscription-manager), if the user begins with an older rhsm.conf file where the ca_cert_dir has been changed from its default value in the original [server] section of the rhsm.conf file, an rpm upgrade to subscription-manager-1.8.19 will NOT transfer the non-default value to the [rhsm] section of the rhsm.conf file. The result could be errors like "[Errno 14] Peer cert cannot be verified or peer cert invalid." If this happens, then a manual solution is to edit /etc/rhsm/rhsm.conf and move the ca_cert_dir from the [server] to the [rhsm] section. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1332.html |