Bug 1452075 - register --force option when provided with --serverurl option throws [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)
Summary: register --force option when provided with --serverurl option throws [SSL: SS...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.4
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Jiri Hnidek
QA Contact: John Sefler
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-18 09:54 UTC by Shwetha Kallesh
Modified: 2017-08-01 19:23 UTC (History)
4 users (show)

Fixed In Version: subscription-manager-1.19.18-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 19:23:41 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github candlepin subscription-manager pull 1643 None None None 2017-05-30 15:15:40 UTC
Red Hat Product Errata RHBA-2017:2083 normal SHIPPED_LIVE python-rhsm and subscription-manager bug fix and enhancement update 2017-08-01 18:14:19 UTC

Description Shwetha Kallesh 2017-05-18 09:54:32 UTC
Description of problem:
register --force option when provided with --serverurl option throws [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)

Version-Release number of selected component (if applicable):
[root@dhcp71-112 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.51.23-1
subscription management rules: 5.15.1
subscription-manager: 1.19.14-1.el7
python-rhsm: 1.19.6-1.el7


How reproducible:


Steps to Reproduce:
[root@dhcp71-112 ~]# subscription-manager register --force --serverurl Shwetha-candlepin.usersys.redhat.com:8443/candlepin
Unregistering from: Shwetha-candlepin.usersys.redhat.com:8443/candlepin
Unregister failed: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)


Actual results:
Unregistering from: Shwetha-candlepin.usersys.redhat.com:8443/candlepin
Unregister failed: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)


Expected results:
Unregistering from:  Shwetha-candlepin.usersys.redhat.com:8443/candlepin
Invalid credentials.

Additional info:

Comment 2 Kevin Howell 2017-05-18 15:00:37 UTC
Shwetha, what is the value of insecure (in section server) in rhsm.conf? This behavior is expected if:
1) The candlepin you are unregistering from uses an untrusted cert.
2) The value of insecure is 0.

Comment 3 Shwetha Kallesh 2017-05-19 06:56:01 UTC
Kevin,


[root@dhcp71-112 ~]# cat /etc/rhsm/rhsm.conf| grep insecure
insecure = 0

       inscure value in rhsm.conf is 0 but I believe we can throw a better a message than "[SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)".

Comment 4 Kevin Howell 2017-05-22 14:12:25 UTC
What we'll do is change the language to what we use in other places for SSL issues: _('Unable to verify server\'s identity: %s')

Comment 6 Shwetha Kallesh 2017-06-08 13:42:17 UTC
[root@dhcp35-135 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.0.33-1
subscription management rules: 5.23
subscription-manager: 1.19.18-1.el7
python-rhsm: 1.19.9-1.el7


[root@dhcp35-135 ~]# cat /etc/rhsm/rhsm.conf| grep insecure
insecure = 0


[root@dhcp35-135 ~]# subscription-manager register --force --serverurl skallesh-candlepin.usersys.redhat.com:8443/candlepin
Unregistering from: skallesh-candlepin.usersys.redhat.com:8443/candlepin
Unable to verify server's identity: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:579)

Comment 7 errata-xmlrpc 2017-08-01 19:23:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2083


Note You need to log in before you can comment on or make changes to this bug.