1414529 – Unhelpful error message if a product certificate is corrupted.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1414529 - Unhelpful error message if a product certificate is corrupted.

Summary: Unhelpful error message if a product certificate is corrupted.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Jiri Hnidek
QA Contact:	John Sefler
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-18 18:34 UTC by Barnaby Court
Modified:	2018-04-10 09:48 UTC (History)
CC List:	4 users (show)
Fixed In Version:	subscription-manager-1.20.2-1
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 09:47:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	candlepin subscription-manager pull 1637	0	None	closed	1414529: Raise exception with path to wrong certificate.	2020-07-06 09:28:44 UTC
Red Hat Product Errata	RHBA-2018:0681	0	None	None	None	2018-04-10 09:48:38 UTC

Description Barnaby Court 2017-01-18 18:34:25 UTC

Description of problem:
If a product certificate is corrupted the error message is not very helpful. For example:
2017-01-18 18:00:41,683 [INFO] subscription-manager:31445:MainThread @managercli.py:384 - Client Versions: {'python-rhsm': '1.17.9-1.el7', 'subscription-manager': '1.17.15-\
1.el7.centos'}
2017-01-18 18:00:41,683 [INFO] subscription-manager:31445:MainThread @connection.py:830 - Connection built: host=https://devel.example.com port=443 handler=/rhsm auth=ident\
ity_cert ca_dir=/etc/rhsm/ca/ verify=True
2017-01-18 18:00:41,684 [INFO] subscription-manager:31445:MainThread @connection.py:830 - Connection built: host=https://devel.example.com port=443 handler=/rhsm auth=none
2017-01-18 18:00:41,684 [INFO] subscription-manager:31445:MainThread @managercli.py:384 - Client Versions: {'python-rhsm': '1.17.9-1.el7', 'subscription-manager': '1.17.15-\
1.el7.centos'}
2017-01-18 18:00:41,684 [INFO] subscription-manager:31445:MainThread @managercli.py:359 - Consumer Identity name=None uuid=None
2017-01-18 18:00:41,685 [ERROR] subscription-manager:31445:MainThread @managercli.py:174 - exception caught in subscription-manager
2017-01-18 18:00:41,685 [ERROR] subscription-manager:31445:MainThread @managercli.py:175 - Error loading certificate
Traceback (most recent call last):
  File "/sbin/subscription-manager", line 81, in <module>
    sys.exit(abs(main() or 0))
 File "/sbin/subscription-manager", line 72, in main
    return managercli.ManagerCLI().main()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 2744, in main
    return CLI.main(self)
  File "/usr/lib/python2.7/site-packages/subscription_manager/cli.py", line 160, in main
    return cmd.main()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 526, in main
    return_code = self._do_command()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1070, in _do_command
    self.installed_mgr = inj.require(inj.INSTALLED_PRODUCTS_MANAGER)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 103, in require
    return FEATURES.require(feature, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 77, in require
    self.providers[feature] = provider()
  File "/usr/lib/python2.7/site-packages/subscription_manager/cache.py", line 433, in __init__
    self._setup_installed()
  File "/usr/lib/python2.7/site-packages/subscription_manager/cache.py", line 488, in _setup_installed
    for prod_cert in self.product_dir.list():
  File "/usr/lib/python2.7/site-packages/subscription_manager/certdirectory.py", line 228, in list
    installed_prod_list = self.installed_prod_dir.list()
  File "/usr/lib/python2.7/site-packages/subscription_manager/certdirectory.py", line 121, in list
    listing.append(create_from_file(path))
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate.py", line 59, in create_from_file
    return _CertFactory().create_from_file(path)
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 70, in create_from_file
    return self._read_x509(_certificate.load(path), path, pem)
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 82, in _read_x509
    raise CertificateException("Error loading certificate")
CertificateException: Error loading certificate

This was originally found in python-rhsm-1.17.9-1.el7.x86_64

It would be much more helpful if the python-rhsm error included which certificate it could not load.

Comment 3 Rehana 2017-10-26 12:25:39 UTC

Reproducing the failure on python-rhsm-1.17.9-1.el7.x86_64 ( on rhel73 manchine) 

subscription management server: 2.0.41-1
subscription management rules: 5.26
subscription-manager: 1.17.15-1.el7
python-rhsm: 1.17.9-1.el7

Steps
=====
1) have one or more product id files 
[root@kvm-02-guest07 ~]# ls /etc/pki/product
100000000000000.pem   100000000000002.pem  100000000000006.pem  100000000000060.pem  213412341234.pem  213412341237.pem  37060.pem  37067.pem  37070.pem  37091.pem  6050.pem  806.pem    908.pem
100000000000001.pem   100000000000003.pem  100000000000011.pem  100000000000069.pem  213412341235.pem  27060.pem         37062.pem  37068.pem  37080.pem  5050.pem   6051.pem  88888.pem  917571.pem
1000000000000023.pem  100000000000005.pem  100000000000020.pem  1.pem                213412341236.pem  32060.pem         37065.pem  37069.pem  37090.pem  5051.pem   801.pem   900.pem    98121.pem
[root@kvm-02-guest07 ~]# ls /etc/pki/product-default/
69.pem


2) modify the product cert file with junk values 
vi /etc/pki/product-default/69.pem

3)Execute subscription-manager list --installed 
[root@kvm-02-guest07 ~]# subscription-manager  list --installed
Error loading certificate

rhsm.log 
===========

2017-10-26 08:21:17,674 [INFO] subscription-manager:28056:MainThread @managercli.py:384 - Client Versions: {'python-rhsm': '1.17.9-1.el7', 'subscription-manager': '1.17.15-1.el7'}
2017-10-26 08:21:17,675 [INFO] subscription-manager:28056:MainThread @connection.py:830 - Connection built: host=subscription.rhsm.redhat.com port=443 handler=/subscription auth=identity_cert ca_dir=/etc/rhsm/ca/ verify=False
2017-10-26 08:21:17,675 [INFO] subscription-manager:28056:MainThread @connection.py:830 - Connection built: host=subscription.rhsm.redhat.com port=443 handler=/subscription auth=none
2017-10-26 08:21:17,699 [ERROR] subscription-manager:28056:MainThread @managercli.py:174 - exception caught in subscription-manager
Error loading certificate
2017-10-26 08:21:17,700 [ERROR] subscription-manager:28056:MainThread @managercli.py:175 - Error loading certificate
Traceback (most recent call last):
  File "/usr/sbin/subscription-manager", line 81, in <module>
    sys.exit(abs(main() or 0))
  File "/usr/sbin/subscription-manager", line 72, in main
    return managercli.ManagerCLI().main()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 2744, in main
    return CLI.main(self)
  File "/usr/lib/python2.7/site-packages/subscription_manager/cli.py", line 160, in main
    return cmd.main()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 526, in main
    return_code = self._do_command()
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 2294, in _do_command
    iproducts = get_installed_product_status(self.product_dir, self.entitlement_dir, self.cp, self.options.filter_string)
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 238, in get_installed_product_status
    sorter = inj.require(inj.CERT_SORTER)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 103, in require
    return FEATURES.require(feature, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 77, in require
    self.providers[feature] = provider()
  File "/usr/lib/python2.7/site-packages/subscription_manager/cert_sorter.py", line 322, in __init__
    self.installed_mgr = inj.require(inj.INSTALLED_PRODUCTS_MANAGER)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 103, in require
    return FEATURES.require(feature, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/subscription_manager/injection.py", line 77, in require
    self.providers[feature] = provider()
  File "/usr/lib/python2.7/site-packages/subscription_manager/cache.py", line 433, in __init__
    self._setup_installed()
  File "/usr/lib/python2.7/site-packages/subscription_manager/cache.py", line 488, in _setup_installed
    for prod_cert in self.product_dir.list():
  File "/usr/lib/python2.7/site-packages/subscription_manager/certdirectory.py", line 229, in list
    default_prod_list = self.default_prod_dir.list()
  File "/usr/lib/python2.7/site-packages/subscription_manager/certdirectory.py", line 121, in list
    listing.append(create_from_file(path))
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate.py", line 59, in create_from_file
    return _CertFactory().create_from_file(path)
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 70, in create_from_file
    return self._read_x509(_certificate.load(path), path, pem)
  File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 82, in _read_x509
    raise CertificateException("Error loading certificate")
CertificateException: Error loading certificate

Comment 4 Shwetha Kallesh 2017-11-10 09:15:32 UTC

Marking this bug as verified and for multiple corrupt cert issue the following bug has been logged:

https://bugzilla.redhat.com/show_bug.cgi?id=1506958

[root@dhcp35-121 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 2.2.0-1
subscription management rules: 5.26
subscription-manager: 1.20.5-1.el7


[root@dhcp35-121 ~]# ls /etc/pki/product/
100000000000000.pem   100000000000003.pem  100000000000020.pem  213412341234.pem  27060.pem  37065.pem  37070.pem  5050.pem  801.pem    908.pem
100000000000001.pem   100000000000005.pem  100000000000060.pem  213412341235.pem  

modified the product cert file with junk values 
vi /etc/pki/product-default/69.pem

[root@dhcp35-121 ~]# ls /etc/pki/product-default/
 69.pem 

[root@dhcp35-121 ~]# subscription-manager list --installed
System certificates corrupted. Please reregister.

[root@dhcp35-121 ~]# tail -f /var/log/rhsm/rhsm.log 
    self._tunnel()
  File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel
    message.strip()))
error: Tunnel connection failed: 407 Proxy Authentication Required
2017-11-10 14:29:06,136 [ERROR] subscription-manager:4442:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2017-11-10 14:29:06,143 [INFO] subscription-manager:4442:MainThread @managercli.py:453 - X-Correlation-ID: bb4351be7527421d8edc3a69bb52f360
2017-11-10 14:29:06,144 [INFO] subscription-manager:4442:MainThread @managercli.py:342 - Client Versions: {'python-rhsm': '0.0.0-1', 'subscription-manager': '1.20.5-1.el7'}
2017-11-10 14:29:06,144 [INFO] subscription-manager:4442:MainThread @connection.py:836 - Connection built: host=F21-candlepin.usersys.redhat.com port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2017-11-10 14:29:06,145 [INFO] subscription-manager:4442:MainThread @connection.py:836 - Connection built: host=F21-candlepin.usersys.redhat.com port=8443 handler=/candlepin auth=none
2017-11-10 14:29:06,175 [ERROR] subscription-manager:4442:MainThread @managercli.py:506 - Error loading certificate: /etc/pki/product-default/69.pem

Comment 7 errata-xmlrpc 2018-04-10 09:47:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0681

Note You need to log in before you can comment on or make changes to this bug.