Bug 1450862 - Two golden ticket subscriptions attached on single system when system was not unregistered properly
Summary: Two golden ticket subscriptions attached on single system when system was not...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Jiri Hnidek
QA Contact: John Sefler
URL:
Whiteboard:
: 1450938 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-15 10:10 UTC by Rehana
Modified: 2017-08-01 19:23 UTC (History)
4 users (show)

Fixed In Version: subscription-manager-1.19.15-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 19:23:41 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github candlepin subscription-manager pull 1630 None closed 1450862: remove obsolete certificates of golden ticket 2020-07-15 05:37:43 UTC
Red Hat Product Errata RHBA-2017:2083 normal SHIPPED_LIVE python-rhsm and subscription-manager bug fix and enhancement update 2017-08-01 18:14:19 UTC

Description Rehana 2017-05-15 10:10:19 UTC
Description of problem:
 when the test system was failed to do successful unregistration due to the following error Unregister failed: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579) . In order to solve the issue  I removed the consumer cert files manually from the /etc/pki/consumer directory. Now after a successful registration i see two golden ticket subscription exists on the system and it doesn't remove one even after trying subscription-manager refresh

Version-Release number of selected component (if applicable):
# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.1.0-1
subscription management rules: 5.23
subscription-manager: 1.19.12-1.el7
python-rhsm: 1.19.6-1.el7


How reproducible:


Steps to Reproduce:
1.Register client to content access mode enabled org ( ex: snowwhite)

Registering to: F21-candlepin.usersys.redhat.com:8443/candlepin
Username: admin
Password: 
Organization: snowwhite
The system has been registered with ID: 79463b73-f079-49b6-98c8-95925060c8fb 
[root@dhcp35-238 consumer]# ll /etc/pki/entitlement/
total 8
-rw-------. 1 roo
t root 1675 May 15 15:20 3253978700812051263-key.pem
-rw-r--r--. 1 root root 2878 May 15 15:20 3253978700812051263.pem

2.Now manually remove the consumer cert files from /etc/pki/consumer   
[root@dhcp35-238 consumer]# ll
total 8
-rw-r-----. 1 root root 1277 May 15 15:20 cert.pem
-rw-r-----. 1 root root 1675 May 15 15:20 key.pem
[root@dhcp35-238 consumer]# rm -rf * 

3.Try to do a fresh registration
[root@dhcp35-238 consumer]# subscription-manager register --force
Registering to: F21-candlepin.usersys.redhat.com:8443/candlepin
Username: admin
Password: 
Organization: snowwhite
The system has been registered with ID: fc9b3597-c426-4c5f-b730-a1764c8d6a91 
5 local certificates have been deleted.
[root@dhcp35-238 consumer]# ll /etc/pki/entitlement/
total 16
-rw-------. 1 root root 1675 May 15 15:20 3253978700812051263-key.pem
-rw-r--r--. 1 root root 2878 May 15 15:20 3253978700812051263.pem
-rw-------. 1 root root 1675 May 15 15:21 4032998023026564994-key.pem
-rw-r--r--. 1 root root 2878 May 15 15:21 4032998023026564994.pem


[root@dhcp35-238 consumer]# rct cc /etc/pki/entitlement/3253978700812051263.pem --no-content --no-product

+-------------------------------------------+
	Entitlement Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/entitlement/3253978700812051263.pem
	Version: 3.3
	Serial: 3253978700812051263
	Start Date: 2017-05-15 08:49:15+00:00
	End Date: 2018-05-15 08:49:15+00:00
	Pool ID: Not Available

Subject:
	CN: 79463b73-f079-49b6-98c8-95925060c8fb
	O: snowwhite

Issuer:
	C: US
	CN: F21-candlepin.usersys.redhat.com
	L: Raleigh


Order:
	Name: Content Access
	Number: 
	SKU: content_access
	Contract: 
	Account: 
	Service Level: 
	Service Type: 
	Quantity: 
	Quantity Used: 1
	Socket Limit: 
	RAM Limit: 
	Core Limit: 
	Virt Only: False
	Stacking ID: 
	Warning Period: 0
	Provides Management: False

[root@dhcp35-238 consumer]# rct cc /etc/pki/entitlement/4032998023026564994.pem --no-content --no-product

+-------------------------------------------+
	Entitlement Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/entitlement/4032998023026564994.pem
	Version: 3.3
	Serial: 4032998023026564994
	Start Date: 2017-05-15 08:49:57+00:00
	End Date: 2018-05-15 08:49:57+00:00
	Pool ID: Not Available

Subject:
	CN: fc9b3597-c426-4c5f-b730-a1764c8d6a91
	O: snowwhite

Issuer:
	C: US
	CN: F21-candlepin.usersys.redhat.com
	L: Raleigh


Order:
	Name: Content Access
	Number: 
	SKU: content_access
	Contract: 
	Account: 
	Service Level: 
	Service Type: 
	Quantity: 
	Quantity Used: 1
	Socket Limit: 
	RAM Limit: 
	Core Limit: 
	Virt Only: False
	Stacking ID: 
	Warning Period: 0
	Provides Management: False

[root@dhcp35-238 consumer]# subscription-manager refresh
All local data refreshed
[root@dhcp35-238 consumer]# ll /etc/pki/entitlement/
total 16
-rw-------. 1 root root 1675 May 15 15:20 3253978700812051263-key.pem
-rw-r--r--. 1 root root 2878 May 15 15:20 3253978700812051263.pem
-rw-------. 1 root root 1675 May 15 15:22 4032998023026564994-key.pem
-rw-r--r--. 1 root root 2878 May 15 15:22 4032998023026564994.pem


Actual results:
Notice two golden ticket subscription exists on the system , even after refresh first attached golden ticket subscription was not removed

Expected results:
system should have only on golden ticket entitlement attached

Additional info:

Comment 2 Jiri Hnidek 2017-05-16 12:04:13 UTC
May be, this PR fixes this problem too: https://github.com/candlepin/subscription-manager/pull/1624. I will try.

Comment 3 Jiri Hnidek 2017-05-16 20:21:11 UTC
No, this is not duplicate bug and PR https://github.com/candlepin/subscription-manager/pull/1624 doesn't help here.

Comment 4 Jiri Hnidek 2017-05-22 11:03:08 UTC
*** Bug 1450938 has been marked as a duplicate of this bug. ***

Comment 6 Rehana 2017-05-25 09:00:58 UTC
Reproducing the failure: 
========================

[root@ibm-x3250m3-01 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.1.0-1
subscription management rules: 5.23
subscription-manager: 1.19.14-1.el7
python-rhsm: 1.19.6-1.el7

[root@ibm-x3250m3-01 ~]# subscription-manager register
Registering to: F21-candlepin.usersys.redhat.com:8443/candlepin
Username: admin
Password: 
Organization: snowwhite
The system has been registered with ID: 16889dcf-e575-4fff-a0f3-929a9ed5d82d 

[root@ibm-x3250m3-01 ~]# ll /etc/pki/entitlement/
total 8
-rw-------. 1 root root 1679 May 25 03:59 165905317496884634-key.pem
-rw-r--r--. 1 root root 2878 May 25 03:59 165905317496884634.pem

[root@ibm-x3250m3-01 ~]# subscription-manager list --consumed
No consumed subscription pools to list

[root@ibm-x3250m3-01 ~]# rct cc /etc/pki/entitlement/165905317496884634.pem --no-product --no-content

+-------------------------------------------+
	Entitlement Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/entitlement/165905317496884634.pem
	Version: 3.3
	Serial: 165905317496884634
	Start Date: 2017-05-25 06:59:10+00:00
	End Date: 2018-05-25 06:59:10+00:00
	Pool ID: Not Available

Subject:
	CN: 16889dcf-e575-4fff-a0f3-929a9ed5d82d
	O: snowwhite

Issuer:
	C: US
	CN: F21-candlepin.usersys.redhat.com
	L: Raleigh


Order:
	Name: Content Access
	Number: 
	SKU: content_access
	Contract: 
	Account: 
	Service Level: 
	Service Type: 
	Quantity: 
	Quantity Used: 1
	Socket Limit: 
	RAM Limit: 
	Core Limit: 
	Virt Only: False
	Stacking ID: 
	Warning Period: 0
	Provides Management: False

[root@ibm-x3250m3-01 ~]# ll /etc/pki/consumer/
total 8
-rw-r-----. 1 root root 1371 May 25 03:59 cert.pem
-rw-r-----. 1 root root 1679 May 25 03:59 key.pem
[root@ibm-x3250m3-01 ~]# rm -rf /etc/pki/consumer/*
[root@ibm-x3250m3-01 ~]# ll /etc/pki/consumer/
total 0
[root@ibm-x3250m3-01 ~]# 

[root@ibm-x3250m3-01 ~]# ll /etc/pki/entitlement/
total 8
-rw-------. 1 root root 1679 May 25 03:59 165905317496884634-key.pem
-rw-r--r--. 1 root root 2878 May 25 03:59 165905317496884634.pem

[root@ibm-x3250m3-01 ~]# subscription-manager register --force
Registering to: F21-candlepin.usersys.redhat.com:8443/candlepin
Username: admin
Password: 
Organization: snowwhite
The system has been registered with ID: 20f65a23-ade6-4c3a-9242-7ae902a33dd2 

[root@ibm-x3250m3-01 ~]# ll /etc/pki/entitlement/
total 16
-rw-------. 1 root root 1679 May 25 03:59 165905317496884634-key.pem
-rw-r--r--. 1 root root 2878 May 25 03:59 165905317496884634.pem
-rw-------. 1 root root 1679 May 25 04:01 4111243518403435993-key.pem
-rw-r--r--. 1 root root 2878 May 25 04:01 4111243518403435993.pem

[root@ibm-x3250m3-01 ~]# rct cc /etc/pki/entitlement/4111243518403435993.pem --no-product --no-content

+-------------------------------------------+
	Entitlement Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/entitlement/4111243518403435993.pem
	Version: 3.3
	Serial: 4111243518403435993
	Start Date: 2017-05-25 07:01:14+00:00
	End Date: 2018-05-25 07:01:14+00:00
	Pool ID: Not Available

Subject:
	CN: 20f65a23-ade6-4c3a-9242-7ae902a33dd2
	O: snowwhite

Issuer:
	C: US
	CN: F21-candlepin.usersys.redhat.com
	L: Raleigh


Order:
	Name: Content Access
	Number: 
	SKU: content_access
	Contract: 
	Account: 
	Service Level: 
	Service Type: 
	Quantity: 
	Quantity Used: 1
	Socket Limit: 
	RAM Limit: 
	Core Limit: 
	Virt Only: False
	Stacking ID: 
	Warning Period: 0
	Provides Management: False

[root@ibm-x3250m3-01 ~]# subscription-manager refresh
All local data refreshed
[root@ibm-x3250m3-01 ~]# ll /etc/pki/entitlement/
total 16
-rw-------. 1 root root 1679 May 25 03:59 165905317496884634-key.pem
-rw-r--r--. 1 root root 2878 May 25 03:59 165905317496884634.pem
-rw-------. 1 root root 1679 May 25 04:02 4111243518403435993-key.pem
-rw-r--r--. 1 root root 2878 May 25 04:02 4111243518403435993.pem

^^ Reproduced system with two golden ticket entitlement certificates

Updating the system to latest subscription-manger packages from brew : 
=======================================================================

[root@ibm-x3250m3-01 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.1.0-1
subscription management rules: 5.23
subscription-manager: 1.19.15-1.el7
python-rhsm: 1.19.6-1.el7



[root@ibm-x3250m3-01 ~]# subscription-manager register
Registering to: F21-candlepin.usersys.redhat.com:8443/candlepin
Username: admin
Password: 
Organization: snowwhite
The system has been registered with ID: 35608924-f40a-4355-ac86-ca9721d53913 

[root@ibm-x3250m3-01 ~]# subscription-manager list --consumed
No consumed subscription pools to list

[root@ibm-x3250m3-01 ~]# ll /etc/pki/entitlement/
total 8
-rw-------. 1 root root 1675 May 25 04:52 7980981120534212659-key.pem
-rw-r--r--. 1 root root 2878 May 25 04:52 7980981120534212659.pem

[root@ibm-x3250m3-01 ~]# rct cc /etc/pki/entitlement/7980981120534212659.pem --no-content --no-product

+-------------------------------------------+
	Entitlement Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/entitlement/7980981120534212659.pem
	Version: 3.3
	Serial: 7980981120534212659
	Start Date: 2017-05-25 07:52:17+00:00
	End Date: 2018-05-25 07:52:17+00:00
	Pool ID: Not Available

Subject:
	CN: 35608924-f40a-4355-ac86-ca9721d53913
	O: snowwhite

Issuer:
	C: US
	CN: F21-candlepin.usersys.redhat.com
	L: Raleigh


Order:
	Name: Content Access
	Number: 
	SKU: content_access
	Contract: 
	Account: 
	Service Level: 
	Service Type: 
	Quantity: 
	Quantity Used: 1
	Socket Limit: 
	RAM Limit: 
	Core Limit: 
	Virt Only: False
	Stacking ID: 
	Warning Period: 0
	Provides Management: False

[root@ibm-x3250m3-01 ~]# rm -rf /etc/pki/consumer/*
[root@ibm-x3250m3-01 ~]# ll /etc/pki/consumer/*
ls: cannot access /etc/pki/consumer/*: No such file or directory

[root@ibm-x3250m3-01 ~]# ll /etc/pki/entitlement/
total 8
-rw-------. 1 root root 1675 May 25 04:52 7980981120534212659-key.pem
-rw-r--r--. 1 root root 2878 May 25 04:52 7980981120534212659.pem

[root@ibm-x3250m3-01 ~]# subscription-manager register --force
Registering to: F21-candlepin.usersys.redhat.com:8443/candlepin
Username: admin
Password: 
Organization: snowwhite
The system has been registered with ID: 9b0618c5-01de-4b65-b034-1c75153c0e7d 
1 local certificate has been deleted.

[root@ibm-x3250m3-01 ~]# ll /etc/pki/entitlement/
total 8
-rw-------. 1 root root 1675 May 25 04:54 4619315142839584121-key.pem
-rw-r--r--. 1 root root 2878 May 25 04:54 4619315142839584121.pem
[root@ibm-x3250m3-01 ~]# rct cc /etc/pki/entitlement/4619315142839584121.pem --no-content --no-product

+-------------------------------------------+
	Entitlement Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/entitlement/4619315142839584121.pem
	Version: 3.3
	Serial: 4619315142839584121
	Start Date: 2017-05-25 07:54:34+00:00
	End Date: 2018-05-25 07:54:34+00:00
	Pool ID: Not Available

Subject:
	CN: 9b0618c5-01de-4b65-b034-1c75153c0e7d
	O: snowwhite

Issuer:
	C: US
	CN: F21-candlepin.usersys.redhat.com
	L: Raleigh


Order:
	Name: Content Access
	Number: 
	SKU: content_access
	Contract: 
	Account: 
	Service Level: 
	Service Type: 
	Quantity: 
	Quantity Used: 1
	Socket Limit: 
	RAM Limit: 
	Core Limit: 
	Virt Only: False
	Stacking ID: 
	Warning Period: 0
	Provides Management: False

^^ Observed that the old golden ticket entitlement certificate was removed and a  new golden ticket subscription was attached.

Based on the above observation , marking this bug as verified!!

Comment 7 errata-xmlrpc 2017-08-01 19:23:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2083


Note You need to log in before you can comment on or make changes to this bug.