I believe this was fixed a while ago in master commit a7ba3ce935b64d6877e4ccbc66635d58d810ab89 Author: Devan Goodwin <dgoodwin> Date: Fri Jan 31 15:44:33 2014 -0400 1026501: Preserve PKI directories and have rpm own them. Merged duplicated cert directory cleanup code into one method. /etc/pki/consumer and /etc/pki/entitlement will now be preserved when you unregister or clean. We now remove just the identity cert and key as their filenames are known. For entitlement directory we remove any files ending with .pem. subscription-manager rpm will now create and own these directories on installation. File monitoring code needs no modifications as we check mtime, which adjusts on any file addition/removal within the directories.
Following steps illustratd in https://bugzilla.redhat.com/show_bug.cgi?id=1026501#c10 Version: # subscription-manager version server type: This system is currently not registered. subscription management server: 0.9.23-1 subscription management rules: 5.11 subscription-manager: 1.12.12-1.el6 python-rhsm: 1.12.5-1.el6 # rpm -q subscription-manager-migration-data subscription-manager-migration-data-2.0.11-1.el6.noarch Verification: 1) Consumer deleted at Server # subscription-manager register --serverurl=f20-candlepin.usersys.redhat.com:8443/candlepin Username: testuser1 Password: Organization: admin The system has been registered with ID: ed19664c-b57d-4f4b-b75b-4056de3b3923 # ls -l /etc/pki total 40 drwxr-xr-x. 6 root root 4096 Jun 19 19:09 CA drwxr-xr-x. 4 root root 4096 Jun 19 19:08 ca-trust drwxr-xr-x. 2 root root 4096 Aug 15 14:15 consumer drwxr-xr-x. 2 root root 4096 Aug 14 19:33 entitlement drwxr-xr-x. 2 root root 4096 Jun 19 19:08 java drwxr-xr-x. 2 root root 4096 Jul 24 23:20 nssdb drwxr-xr-x. 2 root root 4096 Jun 19 19:49 product drwxr-xr-x. 2 root root 4096 Jun 19 19:24 rpm-gpg drwx------. 2 root root 4096 Aug 15 2013 rsyslog drwxr-xr-x. 5 root root 4096 Jun 19 19:09 tls # ls -l /etc/pki/consumer/ total 8 -rw-r-----. 1 root root 1245 Aug 15 14:15 cert.pem -rw-r-----. 1 root root 1675 Aug 15 14:15 key.pem Faking the existence of a valid splice cert/key pair.. # cp /etc/pki/consumer/cert.pem /etc/pki/consumer/Splice_identity.cert # cp /etc/pki/consumer/key.pem /etc/pki/consumer/Splice_identity.key # ls -l /etc/pki/consumer/ total 16 -rw-r-----. 1 root root 1245 Aug 15 14:15 cert.pem -rw-r-----. 1 root root 1675 Aug 15 14:15 key.pem -rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert -rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key Now let's delete the consumer at the server... # curl -k -u admin:admin --request DELETE https://f20-candlepin.usersys.redhat.com:8443/candlepin/consumers/ed19664c-b57d-4f4b-b75b-4056de3b3923 # service rhsmcertd restart Stopping rhsmcertd... [FAILED] Starting rhsmcertd... [ OK ] # sleep 120 # ls -l /etc/pki total 44 drwxr-xr-x. 6 root root 4096 Jun 19 19:09 CA drwxr-xr-x. 4 root root 4096 Jun 19 19:08 ca-trust drwxr-xr-x. 2 root root 4096 Aug 15 14:22 consumer drwxr-xr-x. 2 root root 4096 Aug 15 14:18 consumer.old drwxr-xr-x. 2 root root 4096 Aug 14 19:33 entitlement drwxr-xr-x. 2 root root 4096 Jun 19 19:08 java drwxr-xr-x. 2 root root 4096 Aug 15 14:20 nssdb drwxr-xr-x. 2 root root 4096 Jun 19 19:49 product drwxr-xr-x. 2 root root 4096 Jun 19 19:24 rpm-gpg drwx------. 2 root root 4096 Aug 15 2013 rsyslog drwxr-xr-x. 5 root root 4096 Jun 19 19:09 tls # ls -l /etc/pki/consumer.old/ total 16 -rw-r-----. 1 root root 1245 Aug 15 14:15 cert.pem -rw-r-----. 1 root root 1675 Aug 15 14:15 key.pem -rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert -rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key # ls -l /etc/pki/consumer total 8 -rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert -rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key VERIFED: When consumer is deleted at server, rhsmcertd creats a backup directory for consumer with its old contents and retains only the Splice key and cert. 2) Verifying clean # subscription-manager register --serverurl=f20-candlepin.usersys.redhat.com:8443/candlepin Username: testuser1 Password: Organization: admin The system has been registered with ID: 51a9737e-8c67-46f9-ad00-ff32dff09ecb # ls -l /etc/pki/consumer total 16 -rw-r-----. 1 root root 1245 Aug 15 14:28 cert.pem -rw-r-----. 1 root root 1675 Aug 15 14:28 key.pem -rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert -rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key # subscription-manager clean All local data removed # ls -l /etc/pki/consumer total 8 -rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert -rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key VERIFIED : clean removes eveything but Splice cert and key 3) Verifying unregister # subscription-manager register --serverurl=f20-candlepin.usersys.redhat.com:8443/candlepin Username: testuser1 Password: Organization: admin The system has been registered with ID: 5c7efd80-fe63-48dd-b166-28c77d69222a # ls -l /etc/pki/consumer total 16 -rw-r-----. 1 root root 1245 Aug 15 14:43 cert.pem -rw-r-----. 1 root root 1679 Aug 15 14:43 key.pem -rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert -rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key # subscription-manager unregister System has been unregistered. # ls -l /etc/pki/consumer total 8 -rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert -rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key Verified: After unregister Splice key and cert remain. Moving to VERIFIED
The release of Satellite 5.8 we are deprecating the support of Subscription Asset Manager. The release notes for 5.8 can be found at https://access.redhat.com/documentation/en-us/red_hat_satellite/5.8/pdf/release_notes/Red_Hat_Satellite-5.8-Release_Notes-en-US.pdf. I am therefore closing out this bug as WONTFIX. If you believe this to be an error, please feel free tor each out to either Rich Jerrido or Bryan Kearney. Thank you!