Bug 1349361 - unexpected error on creating entitlement cert for cli
Summary: unexpected error on creating entitlement cert for cli
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: Tools
Version: 3.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Patrick Creech
QA Contact: Irina Gulina
URL:
Whiteboard:
Depends On: 1308349 1358564
Blocks: 1128000 1176834
TreeView+ depends on / blocked
 
Reported: 2016-06-23 10:23 UTC by Irina Gulina
Modified: 2017-03-01 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-01 22:12:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0367 normal SHIPPED_LIVE Red Hat Update Infrastructure 3.0 Release 2017-03-02 03:05:22 UTC

Description Irina Gulina 2016-06-23 10:23:39 UTC
Description of problem:
1) generate an entitlement certificate doesn't display a list of protected repos
(see ***NOTE***)
2) creation of a client configuration RPM from an entitlement certificate fails with an unexpected error

Version-Release number of selected component (if applicable):
RHUI3 iso 20160531

How reproducible:
always

Steps to Reproduce:
1. create protected and unprotected custom repo
in my case 'zoo' is not protected and 'protected_repo_1' requires the cert 
2. add RH repo 
3. generate an entitlement certificate
4. create a client configuration RPM from an entitlement certificate


Actual results:

rhui (repo) => l

Custom Repositories
  protected_repo_1
  zoo   

Red Hat Repositories
  Red Hat Enterprise Linux 6 Update Infrastructure Load Balancer (6Server-i386)
  Red Hat Enterprise Linux 6 Update Infrastructure Load Balancer (6Server-x86_64)


------------------------------------------------------------------------------


------------------------------------------------------------------------------
             -= Red Hat Update Infrastructure Management Tool =-


-= Client Entitlement Management =-

   e   generate an entitlement certificate
   c   create a client configuration RPM from an entitlement certificate

                                                   Connected: rhua.example.com
------------------------------------------------------------------------------
rhui (client) => e

Select one or more repositories to include in the entitlement certificate:

  Custom Repositories

  Red Hat Repositories
    -  1 : Red Hat Enterprise Linux 6 Update Infrastructure Load Balancer


/start{***NOTE***}

Why is 'protected_repo_1' custom repo not visible here? I expect to see a list of protected custom repos here + RH repos)

In RHUI@ it was: 

rhui (client) => e

Select the CDS cluster that clients using this entitlement certificate will use to download content:

  1  - cluster_1
Enter value (1-1) or 'b' to abort: 1

Select one or more repositories to include in the entitlement certificate:

  Custom Repositories
    -  1 : custom_repo_2
             custom_repo_2


  Red Hat Repositories
    -  2 : Red Hat Update Infrastructure 2.0 (RPMs)

Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: 

where 'custom_repo_2' is a protected repo

/end{***NOTE***}

Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1

Select one or more repositories to include in the entitlement certificate:

  Custom Repositories

  Red Hat Repositories
    x  1 : Red Hat Enterprise Linux 6 Update Infrastructure Load Balancer

Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Name of the certificate. This will be used as the name of the certificate file
(name.crt) and its associated private key (name.key). Choose something that will
help identify the products contained with it:
irina_cert

Local directory in which to save the generated certificate [current directory]:


Number of days the certificate should be valid [365]:
10

Repositories to be included in the entitlement certificate:

  Red Hat Repositories
    Red Hat Enterprise Linux 6 Update Infrastructure Load Balancer

Proceed? (y/n) y

.+++
.........................+++
Error creating entitlement certificate, check the log file for more information

------------------------------------------------------------------------------
rhui (client) => c

Full path to local directory in which the client configuration files generated by this tool
should be stored (if this directory does not exist, it will be created):
/root/

Name of the RPM:
irina_rpm

Version of the configuration RPM [2.0]:


Full path to the entitlement certificate authorizing the client to access
specific channels:
/root/irina_cert.crt      

Full path to the private key for the above entitlement certificate:
/root/irina_cert.key 

Port to serve Docker content on (default 5000):


An unexpected error has occurred during the last operation.
More information can be found in /root/.rhui/rhui.log.

>> less /root/.rhui/rhui.log

2016-06-23 06:04:56,848 - <type 'exceptions.KeyError'>
2016-06-23 06:04:56,848 - Unexpected error caught at the shell level
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/rhui/tools/shell.py", line 88, in safe_listen
    self.listen(clear=first_run)
  File "/usr/lib/python2.7/site-packages/rhui/tools/shell.py", line 122, in listen
    Shell.listen(self)
  File "/usr/lib/python2.7/site-packages/rhui/common/shell.py", line 186, in listen
    item.func(*args, **item.kwargs)
  File "/usr/lib/python2.7/site-packages/rhui/tools/screens/client.py", line 208, in create_rpm
    answers = self._collect_answers()
  File "/usr/lib/python2.7/site-packages/rhui/tools/screens/client.py", line 274, in _collect_answers
    unprotected_repo_names = [r['name'] for r in unprotected_repos]
KeyError: 'name'

Expected results:
a client conf rpm is created successfully for RH repo and custom protected repos

Comment 3 Irina Gulina 2016-07-21 01:18:02 UTC
Failed_QA on RHEL7 20160719 iso:

>> rhui (repo) => l

Custom Repositories
  protected_repo
  selinux_repo
  unprotected_repo

Red Hat Repositories
  JBoss Enterprise Application Platform 5 (for RHEL 6 Server) (RPMs) from RHUI (6Server-x86_64)
  Red Hat Enterprise Linux 6 Server (Source ISOs) from RHUI (6Server-x86_64)

>> ------------------------------------------------------------------------------
rhui (client) => e

Select one or more repositories to include in the entitlement certificate:

  Custom Repositories

  Red Hat Repositories
    -  1 : JBoss Enterprise Application Platform 5 (for RHEL 6 Server) (RPMs) from RHUI
    -  2 : Red Hat Enterprise Linux 6 Server (Source ISOs) from RHUI
    -  3 : Red Hat Enterprise Linux 6 Server from RHUI (RPMs)

Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1-3

Select one or more repositories to include in the entitlement certificate:

  Custom Repositories

  Red Hat Repositories
    x  1 : JBoss Enterprise Application Platform 5 (for RHEL 6 Server) (RPMs) from RHUI
    x  2 : Red Hat Enterprise Linux 6 Server (Source ISOs) from RHUI
    x  3 : Red Hat Enterprise Linux 6 Server from RHUI (RPMs)

Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Name of the certificate. This will be used as the name of the certificate file
(name.crt) and its associated private key (name.key). Choose something that will
help identify the products contained with it:
irina_cert

Local directory in which to save the generated certificate [current directory]:


Number of days the certificate should be valid [365]:


Repositories to be included in the entitlement certificate:

  Red Hat Repositories
    JBoss Enterprise Application Platform 5 (for RHEL 6 Server) (RPMs) from RHUI
    Red Hat Enterprise Linux 6 Server (Source ISOs) from RHUI
    Red Hat Enterprise Linux 6 Server from RHUI (RPMs)

Proceed? (y/n) y

..................+++
............+++
Error creating entitlement certificate, check the log file for more information


>> less ~/.rhui/rhui.log

2016-07-20 20:35:18,788 - Successfully connected to [rhua.example.com]
2016-07-20 21:02:18,940 - Private key creation output
2016-07-20 21:02:18,940 - Exit Code: 0
2016-07-20 21:02:18,940 - 
2016-07-20 21:02:18,940 - writing RSA key

2016-07-20 21:02:18,943 - Command [openssl x509 -req -days 365 -in ./irina_cert.csr -CA /etc/pki/rhui/certs/entitlement-ca.crt -CAkey /etc/pki/rhui/private/entitlement-ca.key -CAserial /etc/pki/rhui/certs/entitlement-ca.srl -out ./irina_cert.crt -extfile ./irina_cert-extensions.txt -extensions rhui]
2016-07-20 21:02:18,959 - Certificate creation output
2016-07-20 21:02:18,960 - 
2016-07-20 21:02:18,960 - Signature ok
subject=/CN=Red Hat Update Infrastructure
Getting CA Private Key
/etc/pki/rhui/certs/entitlement-ca.srl: No such file or directory
139925297199008:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/rhui/certs/entitlement-ca.srl','r')
139925297199008:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

Comment 4 Irina Gulina 2016-07-21 01:19:24 UTC
And I can't verify it on RHEL6 because of BZ1358564.

Comment 5 Radek Bíba 2016-09-20 11:36:48 UTC
I haven't seen the error with entitlement-ca.srl recently, nor is there anything about this file in the rhui log on my test RHUI instance; entitlement-ca.srl just exists. This issue was fixed in two steps, here:

# rpm -q --changelog rhui-installer-base
...
* Wed Jul 27 2016 Patrick Creech <pcreech@redhat.com> 0.0.33-1
- Fixing srl extension (pcreech@redhat.com)

* Tue Jul 26 2016 Patrick Creech <pcreech@redhat.com> 0.0.32-1
- Fix mispelling in entitlement (pcreech@redhat.com)
...

In particular, I see the following difference in /usr/share/rhui-installer/modules/rhua/manifests/init.pp between version 0.0.31 and 0.0.33:

--- /tmp/init.pp.0	2016-09-20 05:33:08.529787417 -0400
+++ /tmp/init.pp.2	2016-09-20 05:36:34.716790847 -0400
@@ -285,7 +285,7 @@
     replace => false
   }
 
-  file { '/etc/pki/rhui/certs/entitilement-ca.srl':
+  file { '/etc/pki/rhui/certs/entitlement-ca.srl':
     content => '01',
     require => Class['Certs'],
     replace => false

(For the record, version 0.0.32 contained "/etc/pki/rhui/certs/entitlement-ca.crt", which was the wrong extension.)

The first issue mentioned in comment 0 remains open, though:

"generate an entitlement certificate doesn't display a list of protected repos
(see ***NOTE***)"

Comment 6 Irina Gulina 2016-09-22 14:55:48 UTC
Verified as bug 1308349 comment 11

Comment 7 errata-xmlrpc 2017-03-01 22:12:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0367


Note You need to log in before you can comment on or make changes to this bug.