Bug 1011082 - Subscription-manager removes RHUI client certificates under /etc/pki/entitlement during "subscription-manager clean"
Subscription-manager removes RHUI client certificates under /etc/pki/entitlem...
Status: CLOSED ERRATA
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: RHUA (Show other bugs)
2.1.2
Unspecified Linux
unspecified Severity unspecified
: ---
: 2.1.3
Assigned To: dgao
Ina Panova
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-23 11:14 EDT by Ina Panova
Modified: 2013-12-17 15:10 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
This update fixes an issue where RHUI was sharing a directory with subscription-manager for certificates. When the subscription-manager deleted its own certificates it deleted everything in the directory causing the RHUI certificates to be deleted as well. The certificates are now placed in /etc/pki/rhui instead of /etc/pki/entitlement/ so that subscription-manager will no longer delete the RHUI certificates.
Story Points: ---
Clone Of:
: 1019992 (view as bug list)
Environment:
Last Closed: 2013-12-17 15:10:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ina Panova 2013-09-23 11:14:20 EDT
Description of problem:
After installing rhel5.10 with no changes made on it perform 'subscription-manager clean' command. After that, any yum command(yum install, update, repolist, etc.) fails.

Version-Release number of selected component (if applicable):
subscription-manager-1.8.22-1.el5

How reproducible:
always

Steps to Reproduce:

[root@ip-10-245-114-124 ~]# rpm -qa subscription-manager
subscription-manager-1.8.22-1.el5
[root@ip-10-245-114-124 ~]# yum repolist
Loaded plugins: amazon-id, fastestmirror, product-id, rhui-lb, security
Determining fastest mirrors
 * rhui-REGION-client-config-server-5: rhui2-cds01.us-east-1.aws.ce.redhat.com
 * rhui-REGION-rhel-server: rhui2-cds01.us-east-1.aws.ce.redhat.com
rhui-REGION-client-config-server-5                                                                                                                                                          | 2.3 kB     00:00     
rhui-REGION-client-config-server-5/primary_db                                                                                                                                               | 4.5 kB     00:00     
rhui-REGION-rhel-server                                                                                                                                                                     | 3.7 kB     00:00     
rhui-REGION-rhel-server/primary_db                                                                                                                                                          | 7.6 MB     00:00     
Excluding Packages from Red Hat Enterprise Linux Server 5 (RPMs)
Finished
repo id                                                                               repo name                                                                                                           status
rhui-REGION-client-config-server-5                                                    Red Hat Update Infrastructure 2.0 Client Configuration Server 5                                                             3
rhui-REGION-rhel-server                                                               Red Hat Enterprise Linux Server 5 (RPMs)                                                                            15,263+80
repolist: 15,266
[root@ip-10-245-114-124 ~]# subscription-manager list
No installed products to list
[root@ip-10-245-114-124 ~]# yum repolist
Loaded plugins: amazon-id, fastestmirror, product-id, rhui-lb, security
Loading mirror speeds from cached hostfile
 * rhui-REGION-client-config-server-5: rhui2-cds01.us-east-1.aws.ce.redhat.com
 * rhui-REGION-rhel-server: rhui2-cds01.us-east-1.aws.ce.redhat.com
Excluding Packages from Red Hat Enterprise Linux Server 5 (RPMs)
Finished
repo id                                                                               repo name                                                                                                           status
rhui-REGION-client-config-server-5                                                    Red Hat Update Infrastructure 2.0 Client Configuration Server 5                                                             3
rhui-REGION-rhel-server                                                               Red Hat Enterprise Linux Server 5 (RPMs)                                                                            15,263+80
repolist: 15,266
[root@ip-10-245-114-124 ~]# subscription-manager clean
All local data removed
[root@ip-10-245-114-124 ~]# yum repolist
Loaded plugins: amazon-id, fastestmirror, product-id, rhui-lb, security
Loading mirror speeds from cached hostfile
 * rhui-REGION-client-config-server-5: rhui2-cds01.us-east-1.aws.ce.redhat.com
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 309, in user_main
    errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 178, in main
    result, resultmsgs = base.doCommands()
  File "/usr/share/yum-cli/cli.py", line 349, in doCommands
    return self.yum_cli_commands[self.basecmd].doCommand(self, self.basecmd, self.extcmds)
  File "/usr/share/yum-cli/yumcommands.py", line 788, in doCommand
    base.repos.populateSack()
  File "/usr/lib/python2.4/site-packages/yum/repos.py", line 232, in populateSack
    self.doSetup()
  File "/usr/lib/python2.4/site-packages/yum/repos.py", line 79, in doSetup
    self.ayum.plugins.run('postreposetup')
  File "/usr/lib/python2.4/site-packages/yum/plugins.py", line 179, in run
    func(conduitcls(self, self.base, conf, **kwargs))
  File "/usr/lib/yum-plugins/fastestmirror.py", line 205, in postreposetup_hook
    repo.setupGrab()
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 463, in setupGrab
    self._setupGrab()
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 474, in _setupGrab
    ugopts = self._default_grabopts()
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 486, in _default_grabopts
    opts = { 'keepalive': self.keepalive,
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 656, in _getSslContext
    sslCtx.load_cert(self.sslclientcert, self.sslclientkey)
  File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Context.py", line 74, in load_cert
    m2.ssl_ctx_use_cert(self.ctx, certfile)
M2Crypto.SSL.SSLError: No such file or directory


Actual results:
yum command fails 

Expected results:

yum should work normally

Additional info:
Comment 1 John Sefler 2013-09-23 12:26:07 EDT
The problem that I found on this system is here...

[root@ip-10-164-16-250 yum.repos.d]# ls /etc/pki/entitlement/
ca.crt  cdn.redhat.com-chain.crt  content-rhel5.key  product  rhui-client-config-server-5.key

Why are these RHUI certificates located in /etc/pki/entitlement/ ?

The /etc/pki/entitlement/ directory is a default configuration used by subscription-manager...
[root@ip-10-164-16-250 ~]# grep entitlement /etc/rhsm/rhsm.conf 
entitlementCertDir = /etc/pki/entitlement

When subscription-manager clean is executed, the contents of /etc/pki/entitlement/ are deleted which screws up all of these redhat-rhui repo files that are pointing to certificates in /etc/pki/entitlement

[root@ip-10-164-16-250 ~]# grep "/etc/pki/entitlement" /etc/yum.repos.d/*.repo
/etc/yum.repos.d/redhat-rhui-client-config.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/yum.repos.d/redhat-rhui-client-config.repo:sslclientcert=/etc/pki/entitlement/product/rhui-client-config-server-5.crt
/etc/yum.repos.d/redhat-rhui-client-config.repo:sslclientkey=/etc/pki/entitlement/rhui-client-config-server-5.key
/etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key
/etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt
/etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key
/etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt
/etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key
/etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt
/etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key
/etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt
/etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt


It seems to me that an arm wrestling match between the RHUI team and the RHSM team over the right to write to /etc/pki/entitlement/ is in order.
Comment 2 Vitaly Kuznetsov 2013-09-24 05:29:08 EDT
(In reply to John Sefler from comment #1)
> Why are these RHUI certificates located in /etc/pki/entitlement/ ?
> 
> The /etc/pki/entitlement/ directory is a default configuration used by
> subscription-manager...
> 
> When subscription-manager clean is executed, the contents of
> /etc/pki/entitlement/ are deleted which screws up all of these redhat-rhui
> repo files that are pointing to certificates in /etc/pki/entitlement

Subscription-manager's behavior here doesn't seem correct:
1) If this directory is RHSM-specific - why is has so generalized name? Why not "/etc/pki/rhsm/entitlements"?
2) Why does subscription-manager remove _all_ content from directory no matter who brought it here? Files in "/etc" are usually supposed to be edited/added by humans.
3) If this directory is rhsm-specific data/cache - why it is not under "/var"?
Comment 3 Adrian Likins 2013-10-15 17:50:04 EDT
(In reply to Vitaly Kuznetsov from comment #2)
> (In reply to John Sefler from comment #1)
> > Why are these RHUI certificates located in /etc/pki/entitlement/ ?
> > 
> > The /etc/pki/entitlement/ directory is a default configuration used by
> > subscription-manager...
> > 
> > When subscription-manager clean is executed, the contents of
> > /etc/pki/entitlement/ are deleted which screws up all of these redhat-rhui
> > repo files that are pointing to certificates in /etc/pki/entitlement
> 
> Subscription-manager's behavior here doesn't seem correct:
> 1) If this directory is RHSM-specific - why is has so generalized name? Why
> not "/etc/pki/rhsm/entitlements"?

  No idea. "historical reasons". The content is meant to be managed by subscription-manager, and used by yum. 

> 2) Why does subscription-manager remove _all_ content from directory no
> matter who brought it here? Files in "/etc" are usually supposed to be
> edited/added by humans.

  Tend to agree it shouldn't delete stuff it didn't put there. But then again,
manually provisioning rhsm entitlement certs there is more or less supported (for disconnected, or loosely connected scenarios). Not deleting unknown ent certs (or anything unknown) on "clean" seems reasonable.

> 3) If this directory is rhsm-specific data/cache - why it is not under
> "/var"?

   Not really a cache (yum is setup to assume those certs exists, and doesn't do anything to refresh them if not). /etc/pki/ is the normal place for installing certificates.
Comment 4 dgao 2013-10-16 14:20:24 EDT
Commit: 5b92c5cce67b222e322d68dc7ccac315a2da1048 and 654dee3c2c5d004e5dcbc4ab3f4ce51f7bb99f30

This fixes the RHUI side by placing certs into /etc/pki/rhui instead of /etc/pki/entitlement/. 

Also opened up https://bugzilla.redhat.com/show_bug.cgi?id=1019992 to keep track of the changes needed to be made on subscription-manager to not delete certs it didn't put in /etc/pki/entitlements.
Comment 5 Ina Panova 2013-11-04 11:32:55 EST
tested in 
rh-rhui-tools-2.1.27-1.git.4.b7072ef.el6.noarch
pulp-0.0.263-38.git.1.7f842df.el6.noarch

Move to verified.
Comment 7 errata-xmlrpc 2013-12-17 15:10:32 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1854.html

Note You need to log in before you can comment on or make changes to this bug.