Bug 997194
| Summary: | repo_ca_cert configuration ignored using older configuration | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Justin Sherrill <jsherril> | ||||
| Component: | python-rhsm | Assignee: | Carter Kozak <ckozak> | ||||
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 5.10 | CC: | bkearney, ckozak, jesusr, jsefler, rytis.sileika, tomckay | ||||
| Target Milestone: | rc | Keywords: | Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-09-30 22:32:11 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 833466, 840995 | ||||||
| Attachments: |
|
||||||
|
Description
Justin Sherrill
2013-08-14 21:48:04 UTC
Created attachment 786713 [details]
Sample rhsm config file that shows the issue.
Also for completeness, the error the user receives is: [Errno 14] Peer cert cannot be verified or peer cert invalid This bug has been judged urgent for fix to be included in the rhel510 release. This bug is present in subscription-manager-1.8.20-1.el5 commit 0c4286ad423d5078575a4459fdcc7d9f0896630a
Author: ckozak <ckozak>
Date: Thu Aug 15 09:03:24 2013 -0400
997194: fix interpolation of default values
Reporoducing error on version ... [root@mgmt2 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: Unknown subscription-manager: 1.8.20-1.el5 python-rhsm: 1.8.16-1.el5 Starting with an old rhsm.conf prior to Bug 993202 [root@mgmt2 ~]# cat /etc/rhsm/rhsm.conf # Red Hat Subscription Manager Configuration File: # Unified Entitlement Platform Configuration [server] # Server hostname: hostname = subscription.rhn.redhat.com # Server prefix: prefix = /subscription # Server port: port = 443 # Set to 1 to disable certificate validation: insecure = 0 # Set the depth of certs which should be checked # when validating a certificate ssl_verify_depth = 3 # Server CA certificate location: ca_cert_dir = /etc/rhsm/ca/ # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = [rhsm] # Content base URL: baseurl= https://cdn.redhat.com # Default CA cert to use when generating yum repo configs: repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem # Where the certificates should be stored productCertDir = /etc/pki/product entitlementCertDir = /etc/pki/entitlement consumerCertDir = /etc/pki/consumer # Manage generation of yum repositories for subscribed content: manage_repos = 1 [rhsmcertd] # Frequency of certificate refresh (in minutes): certFrequency = 240 # Frequency of autoheal check (1440 min = 1 day): healFrequency = 1440 [root@mgmt2 ~]# subscription-manager config --list | grep repo_ca_cert repo_ca_cert = [/etc/rhsm/ca/redhat-uep.pem] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Notice that repo_ca_cert expands to the default value. This is correct. Now let's change the default rhsm.conf setting for repo_ca_cert... [root@mgmt2 ~]# sed -i s/repo_ca_cert\ =\ %\(ca_cert_dir\)sredhat-uep.pem/repo_ca_cert\ =\ %\(ca_cert_dir\)scandlepin-local.pem/g /etc/rhsm/rhsm.conf [root@mgmt2 ~]# grep repo_ca_cert /etc/rhsm/rhsm.conf repo_ca_cert = %(ca_cert_dir)scandlepin-local.pem [root@mgmt2 ~]# subscription-manager config --list | grep repo_ca_cert repo_ca_cert = [/etc/rhsm/ca/redhat-uep.pem] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ BANG! Although the default value for rhsm.conf parameter repo_ca_cert was indeed changed, it's value is not getting interpolated. Now let's upgrade to the fixed version of python-rhsm... [root@mgmt2 ~]# rpm -Uvh http://download.devel.redhat.com/brewroot/packages/python-rhsm/1.8.17/1.el5/i386/python-rhsm-1.8.17-1.el5.i386.rpm Retrieving http://download.devel.redhat.com/brewroot/packages/python-rhsm/1.8.17/1.el5/i386/python-rhsm-1.8.17-1.el5.i386.rpm Preparing... ########################################### [100%] 1:python-rhsm ########################################### [100%] [root@mgmt2 ~]# rpm -q python-rhsm python-rhsm-1.8.17-1.el5 And now let's check what is being interpolated... [root@mgmt2 ~]# subscription-manager config --list | grep repo_ca_cert repo_ca_cert = /etc/rhsm/ca/candlepin-local.pem ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Success! This what we wanted. Moving to VERIFIED *** Bug 998950 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1331.html |