1026501 – deleting consumer will move splice identity cert

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1026501 - deleting consumer will move splice identity cert

Summary: deleting consumer will move splice identity cert

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Devan Goodwin
QA Contact:	John Sefler
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	rhsm-rhel70 1028074
TreeView+	depends on / blocked

Reported:	2013-11-04 19:41 UTC by Chris Duryee
Modified:	2014-06-18 00:28 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1028074 (view as bug list)
Environment:
Last Closed:	2014-06-13 13:23:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	532423	0	None	None	None	Never

Description Chris Duryee 2013-11-04 19:41:00 UTC

Description of problem: If a system running SAM 1.3 + enhanced reporting is registered via subscription-manager and then the registration is deleted, the user will get the following error on runs of spacewalk-splice-checkin --splice-sync:

Traceback (most recent call last):
  File "/usr/bin/spacewalk-splice-checkin", line 100, in <module>
    checkin.main(opts)
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/checkin.py", line 228, in main
    splice_sync(options)
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/checkin.py", line 198, in splice_sync
    mpu_list.append(dt.transform_to_rcs(katello_consumer, sps.get_splice_server_uuid()))
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/splice_push.py", line 51, in get_splice_server_uuid
    return cutils.get_subject_pieces(open(cfg["cert"]).read(), ['CN'])['CN']
IOError: [Errno 2] No such file or directory: '/etc/pki/consumer/Splice_identity.cert'


Version-Release number of selected component (if applicable):

subscription-manager-1.1.23-1.el6.x86_64
spacewalk-splice-tool-0.46-1.el6sam
splice-0.146-1.el6sam

Steps to Reproduce:
1. register system via subscription-manager
2. install SAM 1.3 with enhanced reporting
3. delete system to cause /etc/pki/consumer to be archived to /etc/pki/consumer.old
4. (as splice user) run spacewalk-splice-checkin --splice-sync

Actual results:

stack trace


Expected results:

successful run


Additional info:

Workaround:

If consumer certs were only archived once, the user can copy /etc/pki/consumer.old/Splice* to /etc/pki/consumer.

To regen certs (as root):

splice_cert_gen_identity.py --cacert /etc/pki/splice/Splice_CA.cert --cakey /etc/pki/splice/Splice_CA.key --outcert /etc/pki/consumer/Splice_identity.cert --outkey /etc/pki/consumer/Splice_identity.key

Comment 1 Chris Duryee 2013-11-04 19:53:46 UTC

running "subscription-manager clean" after setup will cause this to happen as well.

Comment 2 Xixi 2013-11-05 08:31:33 UTC

https://access.redhat.com/site/solutions/532423 created based on this Bugzilla (thanks beav & team for the heads-up!)

Comment 3 Bryan Kearney 2013-11-06 13:18:08 UTC

moving to subscription manager to have it stop cleaning out certs it did not create.

Comment 5 Vitaly Kuznetsov 2013-11-06 13:58:26 UTC

I think we already hit this issue with RHUI:
https://bugzilla.redhat.com/show_bug.cgi?id=1011082
(it was about /etc/pki/entitlements but the essence is the same)

and then a bug against subscription-manager was created:
https://bugzilla.redhat.com/show_bug.cgi?id=1019992

unfortunately it was closed as 'WONTFIX'.

Comment 6 Devan Goodwin 2013-11-07 15:38:22 UTC

I wontfix'd the entitlements one as that's a big problem, we have a lot of code assuming it can read everything in that directory. Fixing it would basically mean we need to keep track of what certs we wrote somewhere, which probably means we'd just start putting them somewhere else and abandon the directory we use now. However these are both directories we create/manage, there was no discussion of other apps dropping certs in them.

For consumer certs, this is less of an issue as I think we go straight to a specific filename, however, for precedent, I'd like to push that we go for the cleaner option where each app creates and manages it's own certs, and we don't try to drop them all into one place. It's consistent with the decision for entitlements, it's less likely to cause issues, and will work on already released versions of subscription-manager/RHEL.

I spoke to Chris, he's going to get splice storing it's cert in it's own location but asks that we clarify that those are not general purpose directories.

So TL;DR: We will stop deleting these directories and get them owned by our RPM, but other apps will still be responsible for storing their own certs in their own dirs.

Comment 7 Devan Goodwin 2014-02-11 13:03:20 UTC

Fixed in subscription-manager.git as of a9dc0beddd00a72844a15daa7dd6d97a0a1d65ea. Will appear in subscription-manager-1.10.14-1.

Our rpms now own /etc/pki/consumer and /etc/pki/entitlement. On clean or unregister, we delete only our identity cert and key from /etc/pki/consumer, and only *.pem files in /etc/pki/entitlement. The directories themselves should never be completely removed now.

Comment 10 John Sefler 2014-02-13 18:41:04 UTC

I will verify the following new behavior as indicated in comment 7...
When a consumer is deleted at the server, the /etc/pki/consumer/ directory is copied to /etc/pki/consumer.old/ and the cert.pem/key.pem pair that was in /etc/pki/consumer/ directory are deleted leaving behind the Splice cert/key pair.  The former behavior simply renamed the directory from /etc/pki/consumer/ to /etc/pki/consumer.old/ thereby eliminating the /etc/pki/consumer/ directory.

Verifying Version...
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.9.3-1
subscription-manager: 1.10.14-1.el7
python-rhsm: 1.10.12-1.el7

Let's begin by verifying what happens when the consumer is deleted at the server...
[root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: 90acc7c0-14ff-4416-a650-42c3266cd092 
[root@jsefler-7 ~]# ls -l /etc/pki
total 8
drwxr-xr-x. 6 root   root     57 Jan 15 08:50 CA
drwxr-xr-x. 4 root   root     48 Jan 21 19:52 ca-trust
drwxr-xr-x. 2 root   root     35 Feb 13 13:12 consumer
drwxr-xr-x. 2 root   root      6 Feb 13 02:59 entitlement
drwxr-xr-x. 2 root   root     20 Jan 21 19:52 java
drwxr-xr-x. 2 root   root     97 Jan 29 12:39 nssdb
drwxrwxr-x. 2 pesign pesign   51 Jan 21 20:04 pesign
drwxr-xr-x. 2 root   root   4096 Feb 13 01:48 product
drwxr-xr-x. 2 root   root   4096 Jan 21 19:57 rpm-gpg
drwx------. 2 root   root      6 Jan 21 10:28 rsyslog
drwxr-xr-x. 5 root   root     76 Jan 21 19:53 tls
[root@jsefler-7 ~]# ls -l /etc/pki/consumer/
total 8
-rw-r-----. 1 root root 1306 Feb 13 13:12 cert.pem
-rw-r-----. 1 root root 1679 Feb 13 13:12 key.pem

Faking the existence of a valid splice cert/key pair...
[root@jsefler-7 ~]# cp /etc/pki/consumer/cert.pem /etc/pki/consumer/Splice_identity.cert
[root@jsefler-7 ~]# cp /etc/pki/consumer/key.pem /etc/pki/consumer/Splice_identity.key
[root@jsefler-7 ~]# ls -l /etc/pki/consumer/
total 16
-rw-r-----. 1 root root 1306 Feb 13 13:12 cert.pem
-rw-r-----. 1 root root 1679 Feb 13 13:12 key.pem
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key

Now let's delete the consumer at the server...
[root@jsefler-7 ~]# curl -k -u admin:admin --request DELETE https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/consumers/90acc7c0-14ff-4416-a650-42c3266cd092
[root@jsefler-7 ~]# service rhsmcertd restart
Redirecting to /bin/systemctl restart  rhsmcertd.service
[root@jsefler-7 ~]# sleep 120
[root@jsefler-7 ~]# ls -l /etc/pki
total 8
drwxr-xr-x. 6 root   root     57 Jan 15 08:50 CA
drwxr-xr-x. 4 root   root     48 Jan 21 19:52 ca-trust
drwxr-xr-x. 2 root   root     59 Feb 13 13:20 consumer
drwxr-xr-x. 2 root   root     88 Feb 13 13:14 consumer.old
drwxr-xr-x. 2 root   root      6 Feb 13 02:59 entitlement
drwxr-xr-x. 2 root   root     20 Jan 21 19:52 java
drwxr-xr-x. 2 root   root     97 Jan 29 12:39 nssdb
drwxrwxr-x. 2 pesign pesign   51 Jan 21 20:04 pesign
drwxr-xr-x. 2 root   root   4096 Feb 13 01:48 product
drwxr-xr-x. 2 root   root   4096 Jan 21 19:57 rpm-gpg
drwx------. 2 root   root      6 Jan 21 10:28 rsyslog
drwxr-xr-x. 5 root   root     76 Jan 21 19:53 tls
[root@jsefler-7 ~]# ls -l /etc/pki/consumer.old/
total 16
-rw-r-----. 1 root root 1306 Feb 13 13:12 cert.pem
-rw-r-----. 1 root root 1679 Feb 13 13:12 key.pem
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key
[root@jsefler-7 ~]# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key
[root@jsefler-7 ~]# 

VERIFIED: When rhsmcertd detects that the consumer has been deleted at the server, a backup of the consumer directory and contents is made and removes then cert.pem and key.pem from /etc/pki/consumer leaving behind the Splice cert/key


Now let's verify clean...
[root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: 6f4e2445-f24b-4628-adde-5c67f2210001 
[root@jsefler-7 ~]# ls -l /etc/pki/consumer
total 16
-rw-r-----. 1 root root 1306 Feb 13 13:27 cert.pem
-rw-r-----. 1 root root 1675 Feb 13 13:27 key.pem
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key
[root@jsefler-7 ~]# subscription-manager clean
All local data removed
[root@jsefler-7 ~]# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key

VERIFIED: The Splice cert/key remains after running clean


Now let's verify unregister...
[root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: d6172d84-0edc-4e61-bd1c-77c954e6033f 
[root@jsefler-7 ~]# ls -l /etc/pki/consumer
total 16
-rw-r-----. 1 root root 1306 Feb 13 13:31 cert.pem
-rw-r-----. 1 root root 1679 Feb 13 13:31 key.pem
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key
[root@jsefler-7 ~]# subscription-manager unregister
System has been unregistered.
[root@jsefler-7 ~]# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert
-rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key

VERIFIED: The Splice cert/key remains after running unregister

Comment 11 Ludek Smid 2014-06-13 13:23:11 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.