Bug 1026501 - deleting consumer will move splice identity cert
deleting consumer will move splice identity cert
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Devan Goodwin
John Sefler
:
Depends On:
Blocks: rhsm-rhel70 1028074
  Show dependency treegraph
 
Reported: 2013-11-04 14:41 EST by Chris Duryee
Modified: 2014-06-17 20:28 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1028074 (view as bug list)
Environment:
Last Closed: 2014-06-13 09:23:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 532423 None None None Never

  None (edit)
Description Chris Duryee 2013-11-04 14:41:00 EST
Description of problem: If a system running SAM 1.3 + enhanced reporting is registered via subscription-manager and then the registration is deleted, the user will get the following error on runs of spacewalk-splice-checkin --splice-sync:

Traceback (most recent call last):
  File "/usr/bin/spacewalk-splice-checkin", line 100, in <module>
    checkin.main(opts)
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/checkin.py", line 228, in main
    splice_sync(options)
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/checkin.py", line 198, in splice_sync
    mpu_list.append(dt.transform_to_rcs(katello_consumer, sps.get_splice_server_uuid()))
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/splice_push.py", line 51, in get_splice_server_uuid
    return cutils.get_subject_pieces(open(cfg["cert"]).read(), ['CN'])['CN']
IOError: [Errno 2] No such file or directory: '/etc/pki/consumer/Splice_identity.cert'


Version-Release number of selected component (if applicable):

subscription-manager-1.1.23-1.el6.x86_64
spacewalk-splice-tool-0.46-1.el6sam
splice-0.146-1.el6sam

Steps to Reproduce:
1. register system via subscription-manager
2. install SAM 1.3 with enhanced reporting
3. delete system to cause /etc/pki/consumer to be archived to /etc/pki/consumer.old
4. (as splice user) run spacewalk-splice-checkin --splice-sync

Actual results:

stack trace


Expected results:

successful run


Additional info:

Workaround:

If consumer certs were only archived once, the user can copy /etc/pki/consumer.old/Splice* to /etc/pki/consumer.

To regen certs (as root):

splice_cert_gen_identity.py --cacert /etc/pki/splice/Splice_CA.cert --cakey /etc/pki/splice/Splice_CA.key --outcert /etc/pki/consumer/Splice_identity.cert --outkey /etc/pki/consumer/Splice_identity.key
Comment 1 Chris Duryee 2013-11-04 14:53:46 EST
running "subscription-manager clean" after setup will cause this to happen as well.
Comment 2 Xixi 2013-11-05 03:31:33 EST
https://access.redhat.com/site/solutions/532423 created based on this Bugzilla (thanks beav & team for the heads-up!)
Comment 3 Bryan Kearney 2013-11-06 08:18:08 EST
moving to subscription manager to have it stop cleaning out certs it did not create.
Comment 5 Vitaly Kuznetsov 2013-11-06 08:58:26 EST
I think we already hit this issue with RHUI:
https://bugzilla.redhat.com/show_bug.cgi?id=1011082
(it was about /etc/pki/entitlements but the essence is the same)

and then a bug against subscription-manager was created:
https://bugzilla.redhat.com/show_bug.cgi?id=1019992

unfortunately it was closed as 'WONTFIX'.
Comment 6 Devan Goodwin 2013-11-07 10:38:22 EST
I wontfix'd the entitlements one as that's a big problem, we have a lot of code assuming it can read everything in that directory. Fixing it would basically mean we need to keep track of what certs we wrote somewhere, which probably means we'd just start putting them somewhere else and abandon the directory we use now. However these are both directories we create/manage, there was no discussion of other apps dropping certs in them.

For consumer certs, this is less of an issue as I think we go straight to a specific filename, however, for precedent, I'd like to push that we go for the cleaner option where each app creates and manages it's own certs, and we don't try to drop them all into one place. It's consistent with the decision for entitlements, it's less likely to cause issues, and will work on already released versions of subscription-manager/RHEL.

I spoke to Chris, he's going to get splice storing it's cert in it's own location but asks that we clarify that those are not general purpose directories.

So TL;DR: We will stop deleting these directories and get them owned by our RPM, but other apps will still be responsible for storing their own certs in their own dirs.
Comment 7 Devan Goodwin 2014-02-11 08:03:20 EST
Fixed in subscription-manager.git as of a9dc0beddd00a72844a15daa7dd6d97a0a1d65ea. Will appear in subscription-manager-1.10.14-1.

Our rpms now own /etc/pki/consumer and /etc/pki/entitlement. On clean or unregister, we delete only our identity cert and key from /etc/pki/consumer, and only *.pem files in /etc/pki/entitlement. The directories themselves should never be completely removed now.
Comment 10 John Sefler 2014-02-13 13:41:04 EST
I will verify the following new behavior as indicated in comment 7...
When a consumer is deleted at the server, the /etc/pki/consumer/ directory is copied to /etc/pki/consumer.old/ and the cert.pem/key.pem pair that was in /etc/pki/consumer/ directory are deleted leaving behind the Splice cert/key pair.  The former behavior simply renamed the directory from /etc/pki/consumer/ to /etc/pki/consumer.old/ thereby eliminating the /etc/pki/consumer/ directory.

Verifying Version...
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.9.3-1
subscription-manager: 1.10.14-1.el7
python-rhsm: 1.10.12-1.el7

Let's begin by verifying what happens when the consumer is deleted at the server...
[root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: 90acc7c0-14ff-4416-a650-42c3266cd092 
[root@jsefler-7 ~]# ls -l /etc/pki
total 8
drwxr-xr-x. 6 root   root     57 Jan 15 08:50 CA
drwxr-xr-x. 4 root   root     48 Jan 21 19:52 ca-trust
drwxr-xr-x. 2 root   root     35 Feb 13 13:12 consumer
drwxr-xr-x. 2 root   root      6 Feb 13 02:59 entitlement
drwxr-xr-x. 2 root   root     20 Jan 21 19:52 java
drwxr-xr-x. 2 root   root     97 Jan 29 12:39 nssdb
drwxrwxr-x. 2 pesign pesign   51 Jan 21 20:04 pesign
drwxr-xr-x. 2 root   root   4096 Feb 13 01:48 product
drwxr-xr-x. 2 root   root   4096 Jan 21 19:57 rpm-gpg
drwx------. 2 root   root      6 Jan 21 10:28 rsyslog
drwxr-xr-x. 5 root   root     76 Jan 21 19:53 tls
[root@jsefler-7 ~]# ls -l /etc/pki/consumer/
total 8
-rw-r-----. 1 root root 1306 Feb 13 13:12 cert.pem
-rw-r-----. 1 root root 1679 Feb 13 13:12 key.pem

Faking the existence of a valid splice cert/key pair...
[root@jsefler-7 ~]# cp /etc/pki/consumer/cert.pem /etc/pki/consumer/Splice_identity.cert
[root@jsefler-7 ~]# cp /etc/pki/consumer/key.pem /etc/pki/consumer/Splice_identity.key
[root@jsefler-7 ~]# ls -l /etc/pki/consumer/
total 16
-rw-r-----. 1 root root 1306 Feb 13 13:12 cert.pem
-rw-r-----. 1 root root 1679 Feb 13 13:12 key.pem
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key

Now let's delete the consumer at the server...
[root@jsefler-7 ~]# curl -k -u admin:admin --request DELETE https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/consumers/90acc7c0-14ff-4416-a650-42c3266cd092
[root@jsefler-7 ~]# service rhsmcertd restart
Redirecting to /bin/systemctl restart  rhsmcertd.service
[root@jsefler-7 ~]# sleep 120
[root@jsefler-7 ~]# ls -l /etc/pki
total 8
drwxr-xr-x. 6 root   root     57 Jan 15 08:50 CA
drwxr-xr-x. 4 root   root     48 Jan 21 19:52 ca-trust
drwxr-xr-x. 2 root   root     59 Feb 13 13:20 consumer
drwxr-xr-x. 2 root   root     88 Feb 13 13:14 consumer.old
drwxr-xr-x. 2 root   root      6 Feb 13 02:59 entitlement
drwxr-xr-x. 2 root   root     20 Jan 21 19:52 java
drwxr-xr-x. 2 root   root     97 Jan 29 12:39 nssdb
drwxrwxr-x. 2 pesign pesign   51 Jan 21 20:04 pesign
drwxr-xr-x. 2 root   root   4096 Feb 13 01:48 product
drwxr-xr-x. 2 root   root   4096 Jan 21 19:57 rpm-gpg
drwx------. 2 root   root      6 Jan 21 10:28 rsyslog
drwxr-xr-x. 5 root   root     76 Jan 21 19:53 tls
[root@jsefler-7 ~]# ls -l /etc/pki/consumer.old/
total 16
-rw-r-----. 1 root root 1306 Feb 13 13:12 cert.pem
-rw-r-----. 1 root root 1679 Feb 13 13:12 key.pem
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key
[root@jsefler-7 ~]# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key
[root@jsefler-7 ~]# 

VERIFIED: When rhsmcertd detects that the consumer has been deleted at the server, a backup of the consumer directory and contents is made and removes then cert.pem and key.pem from /etc/pki/consumer leaving behind the Splice cert/key


Now let's verify clean...
[root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: 6f4e2445-f24b-4628-adde-5c67f2210001 
[root@jsefler-7 ~]# ls -l /etc/pki/consumer
total 16
-rw-r-----. 1 root root 1306 Feb 13 13:27 cert.pem
-rw-r-----. 1 root root 1675 Feb 13 13:27 key.pem
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key
[root@jsefler-7 ~]# subscription-manager clean
All local data removed
[root@jsefler-7 ~]# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key

VERIFIED: The Splice cert/key remains after running clean


Now let's verify unregister...
[root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: d6172d84-0edc-4e61-bd1c-77c954e6033f 
[root@jsefler-7 ~]# ls -l /etc/pki/consumer
total 16
-rw-r-----. 1 root root 1306 Feb 13 13:31 cert.pem
-rw-r-----. 1 root root 1679 Feb 13 13:31 key.pem
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key
[root@jsefler-7 ~]# subscription-manager unregister
System has been unregistered.
[root@jsefler-7 ~]# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key

VERIFIED: The Splice cert/key remains after running unregister
Comment 11 Ludek Smid 2014-06-13 09:23:11 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.