RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1019992 - Subscription-manager removes RHUI client certificates under /etc/pki/entitlement during "subscription-manager clean"
Summary: Subscription-manager removes RHUI client certificates under /etc/pki/entitlem...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.0
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: candlepin-bugs
QA Contact: John Sefler
URL:
Whiteboard:
Depends On:
Blocks: rhsm-rhel70
TreeView+ depends on / blocked
 
Reported: 2013-10-16 18:13 UTC by dgao
Modified: 2013-10-21 14:52 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1011082
Environment:
Last Closed: 2013-10-21 14:52:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description dgao 2013-10-16 18:13:32 UTC
+++ This bug was initially created as a clone of Bug #1011082 +++

Description of problem:
After installing rhel5.10 with no changes made on it perform 'subscription-manager clean' command. After that, any yum command(yum install, update, repolist, etc.) fails.

Version-Release number of selected component (if applicable):
subscription-manager-1.8.22-1.el5

How reproducible:
always

Steps to Reproduce:

[root@ip-10-245-114-124 ~]# rpm -qa subscription-manager
subscription-manager-1.8.22-1.el5
[root@ip-10-245-114-124 ~]# yum repolist
Loaded plugins: amazon-id, fastestmirror, product-id, rhui-lb, security
Determining fastest mirrors
 * rhui-REGION-client-config-server-5: rhui2-cds01.us-east-1.aws.ce.redhat.com
 * rhui-REGION-rhel-server: rhui2-cds01.us-east-1.aws.ce.redhat.com
rhui-REGION-client-config-server-5                                                                                                                                                          | 2.3 kB     00:00     
rhui-REGION-client-config-server-5/primary_db                                                                                                                                               | 4.5 kB     00:00     
rhui-REGION-rhel-server                                                                                                                                                                     | 3.7 kB     00:00     
rhui-REGION-rhel-server/primary_db                                                                                                                                                          | 7.6 MB     00:00     
Excluding Packages from Red Hat Enterprise Linux Server 5 (RPMs)
Finished
repo id                                                                               repo name                                                                                                           status
rhui-REGION-client-config-server-5                                                    Red Hat Update Infrastructure 2.0 Client Configuration Server 5                                                             3
rhui-REGION-rhel-server                                                               Red Hat Enterprise Linux Server 5 (RPMs)                                                                            15,263+80
repolist: 15,266
[root@ip-10-245-114-124 ~]# subscription-manager list
No installed products to list
[root@ip-10-245-114-124 ~]# yum repolist
Loaded plugins: amazon-id, fastestmirror, product-id, rhui-lb, security
Loading mirror speeds from cached hostfile
 * rhui-REGION-client-config-server-5: rhui2-cds01.us-east-1.aws.ce.redhat.com
 * rhui-REGION-rhel-server: rhui2-cds01.us-east-1.aws.ce.redhat.com
Excluding Packages from Red Hat Enterprise Linux Server 5 (RPMs)
Finished
repo id                                                                               repo name                                                                                                           status
rhui-REGION-client-config-server-5                                                    Red Hat Update Infrastructure 2.0 Client Configuration Server 5                                                             3
rhui-REGION-rhel-server                                                               Red Hat Enterprise Linux Server 5 (RPMs)                                                                            15,263+80
repolist: 15,266
[root@ip-10-245-114-124 ~]# subscription-manager clean
All local data removed
[root@ip-10-245-114-124 ~]# yum repolist
Loaded plugins: amazon-id, fastestmirror, product-id, rhui-lb, security
Loading mirror speeds from cached hostfile
 * rhui-REGION-client-config-server-5: rhui2-cds01.us-east-1.aws.ce.redhat.com
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 309, in user_main
    errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 178, in main
    result, resultmsgs = base.doCommands()
  File "/usr/share/yum-cli/cli.py", line 349, in doCommands
    return self.yum_cli_commands[self.basecmd].doCommand(self, self.basecmd, self.extcmds)
  File "/usr/share/yum-cli/yumcommands.py", line 788, in doCommand
    base.repos.populateSack()
  File "/usr/lib/python2.4/site-packages/yum/repos.py", line 232, in populateSack
    self.doSetup()
  File "/usr/lib/python2.4/site-packages/yum/repos.py", line 79, in doSetup
    self.ayum.plugins.run('postreposetup')
  File "/usr/lib/python2.4/site-packages/yum/plugins.py", line 179, in run
    func(conduitcls(self, self.base, conf, **kwargs))
  File "/usr/lib/yum-plugins/fastestmirror.py", line 205, in postreposetup_hook
    repo.setupGrab()
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 463, in setupGrab
    self._setupGrab()
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 474, in _setupGrab
    ugopts = self._default_grabopts()
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 486, in _default_grabopts
    opts = { 'keepalive': self.keepalive,
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 656, in _getSslContext
    sslCtx.load_cert(self.sslclientcert, self.sslclientkey)
  File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Context.py", line 74, in load_cert
    m2.ssl_ctx_use_cert(self.ctx, certfile)
M2Crypto.SSL.SSLError: No such file or directory


Actual results:
yum command fails 

Expected results:

yum should work normally

Additional info:

--- Additional comment from John Sefler on 2013-09-23 12:26:07 EDT ---

The problem that I found on this system is here...

[root@ip-10-164-16-250 yum.repos.d]# ls /etc/pki/entitlement/
ca.crt  cdn.redhat.com-chain.crt  content-rhel5.key  product  rhui-client-config-server-5.key

Why are these RHUI certificates located in /etc/pki/entitlement/ ?

The /etc/pki/entitlement/ directory is a default configuration used by subscription-manager...
[root@ip-10-164-16-250 ~]# grep entitlement /etc/rhsm/rhsm.conf 
entitlementCertDir = /etc/pki/entitlement

When subscription-manager clean is executed, the contents of /etc/pki/entitlement/ are deleted which screws up all of these redhat-rhui repo files that are pointing to certificates in /etc/pki/entitlement

[root@ip-10-164-16-250 ~]# grep "/etc/pki/entitlement" /etc/yum.repos.d/*.repo
/etc/yum.repos.d/redhat-rhui-client-config.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/yum.repos.d/redhat-rhui-client-config.repo:sslclientcert=/etc/pki/entitlement/product/rhui-client-config-server-5.crt
/etc/yum.repos.d/redhat-rhui-client-config.repo:sslclientkey=/etc/pki/entitlement/rhui-client-config-server-5.key
/etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key
/etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt
/etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key
/etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt
/etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key
/etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt
/etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key
/etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt
/etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt


It seems to me that an arm wrestling match between the RHUI team and the RHSM team over the right to write to /etc/pki/entitlement/ is in order.

--- Additional comment from Vitaly Kuznetsov on 2013-09-24 05:29:08 EDT ---

(In reply to John Sefler from comment #1)
> Why are these RHUI certificates located in /etc/pki/entitlement/ ?
> 
> The /etc/pki/entitlement/ directory is a default configuration used by
> subscription-manager...
> 
> When subscription-manager clean is executed, the contents of
> /etc/pki/entitlement/ are deleted which screws up all of these redhat-rhui
> repo files that are pointing to certificates in /etc/pki/entitlement

Subscription-manager's behavior here doesn't seem correct:
1) If this directory is RHSM-specific - why is has so generalized name? Why not "/etc/pki/rhsm/entitlements"?
2) Why does subscription-manager remove _all_ content from directory no matter who brought it here? Files in "/etc" are usually supposed to be edited/added by humans.
3) If this directory is rhsm-specific data/cache - why it is not under "/var"?

--- Additional comment from Adrian Likins on 2013-10-15 17:50:04 EDT ---

(In reply to Vitaly Kuznetsov from comment #2)
> (In reply to John Sefler from comment #1)
> > Why are these RHUI certificates located in /etc/pki/entitlement/ ?
> > 
> > The /etc/pki/entitlement/ directory is a default configuration used by
> > subscription-manager...
> > 
> > When subscription-manager clean is executed, the contents of
> > /etc/pki/entitlement/ are deleted which screws up all of these redhat-rhui
> > repo files that are pointing to certificates in /etc/pki/entitlement
> 
> Subscription-manager's behavior here doesn't seem correct:
> 1) If this directory is RHSM-specific - why is has so generalized name? Why
> not "/etc/pki/rhsm/entitlements"?

  No idea. "historical reasons". The content is meant to be managed by subscription-manager, and used by yum. 

> 2) Why does subscription-manager remove _all_ content from directory no
> matter who brought it here? Files in "/etc" are usually supposed to be
> edited/added by humans.

  Tend to agree it shouldn't delete stuff it didn't put there. But then again,
manually provisioning rhsm entitlement certs there is more or less supported (for disconnected, or loosely connected scenarios). Not deleting unknown ent certs (or anything unknown) on "clean" seems reasonable.

> 3) If this directory is rhsm-specific data/cache - why it is not under
> "/var"?

   Not really a cache (yum is setup to assume those certs exists, and doesn't do anything to refresh them if not). /etc/pki/ is the normal place for installing certificates.

Comment 2 Devan Goodwin 2013-10-21 14:52:20 UTC
RHUI is now placing their certs in their own location. 

I am extremely hesitant to fix this, ideally yes it would be nice if the directory was named to be rhsm specific, but /etc/pki is probably the correct location for the certificates.

There is no concept of "known" certificates, we support disconnected scenarios where certificates can be manually imported. Trying to track which ones we put there, where they came from, and whether or not someone dropped one in place by themselves is a big increase in complexity and risk for bugs. /etc/pki/entitlement has been subscription-manager certs since day one, nothing else can/should write there. 

Changing this at this point is going to introduce more problems, and there is almost nothing gained by doing so as far as I can tell. I am going to close as a WONTFIX, if anyone feels strongly that this must be done and there is a tangible benefit to doing so then please reopen and state the case but I really do not want to take the upgrade risk and increase in complexity if we don't need to.


Note You need to log in before you can comment on or make changes to this bug.