RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1888067 - rhsm-migrate-classic-to-rhsm fails to prompt me for the destination credentials; instead I get HTTP error (401 - Unauthorized): Invalid user credentials
Summary: rhsm-migrate-classic-to-rhsm fails to prompt me for the destination credentia...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: subscription-manager
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: candlepin-bugs
QA Contact: Red Hat subscription-manager QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-13 22:37 UTC by John Sefler
Modified: 2020-11-03 20:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-20 13:41:55 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description John Sefler 2020-10-13 22:37:39 UTC
Description of problem:

When using rhn-migrate-classic-to-rhsm without explicitly declaring the --destination-url, I encounter a "HTTP error (401 - Unauthorized): Invalid user credentials" error.  I expected to be interactively prompted for the destination credentials.  The destination url information is already configured in rhsm.conf.  Hence the workaround is to pass --destination-url as shown in the Additional info section below.


Version-Release number of selected component (if applicable):
[root@kvm-06-guest36 ~]# rpm -q subscription-manager
subscription-manager-1.27.16-1.el8.x86_64


How reproducible:


Steps to Reproduce:


[root@kvm-06-guest36 ~]# rhnreg_ks --serverUrl=https://rhsm-sat58.usersys.redhat.com/XMLRPC --username=rhsm-client --password=REDACTED --profilename=rhsm-automation.kvm-06-guest36.hv2.lab.eng.bos.redhat.com --force --norhnsd --nohardware --nopackages --novirtinfo
[root@kvm-06-guest36 ~]# 
[root@kvm-06-guest36 ~]# subscription-manager config --server.hostname=subscription.rhsm.stage.redhat.com
[root@kvm-06-guest36 ~]# subscription-manager config --server.port=443
[root@kvm-06-guest36 ~]# subscription-manager config --server.prefix=/subscription
[root@kvm-06-guest36 ~]# 
[root@kvm-06-guest36 ~]# truncate --size=0 /var/log/rhsm/rhsm.log
[root@kvm-06-guest36 ~]# 
[root@kvm-06-guest36 ~]# rhn-migrate-classic-to-rhsm --force
Legacy username: rhsm-client
Legacy password: 
Unable to connect to certificate server: HTTP error (401 - Unauthorized): Invalid user credentials.  See /var/log/rhsm/rhsm.log for more details.
[root@kvm-06-guest36 ~]# 

BANG! DID NOT EXPECT THAT RESPONSE.  INSTEAD I EXPECTED TO BE PROMPTED FOR DESTINATION CREDENTIALS

[root@kvm-06-guest36 ~]# cat /var/log/rhsm/rhsm.log
2020-10-13 18:07:01,767 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @https.py:56 - Using standard libs to provide httplib and ssl
2020-10-13 18:07:19,630 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:169 - Environment variable NO_PROXY= will be used
2020-10-13 18:07:19,631 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:265 - Connection built: host=subscription.rhsm.stage.redhat.com port=443 handler=/subscription auth=basic username=rhsm-client
2020-10-13 18:07:19,631 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @identity.py:139 - Loading consumer info from identity certificates.
2020-10-13 18:07:19,631 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @identity.py:154 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2020-10-13 18:07:19,631 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:685 - Making request: GET /subscription/status
2020-10-13 18:07:19,633 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:570 - Loaded CA certificates from /etc/rhsm/ca/: rhsm-auto8-candlepin.pem, rhsm-auto8-gate-candlepin.pem, redhat-entitlement-authority.pem, redhat-uep.pem
2020-10-13 18:07:20,009 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:779 - Response time: 0.2996184825897217, Smoothed response time: 0.2996184825897217
2020-10-13 18:07:20,009 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:756 - Response: status=200, requestUuid=85df33b1-f225-4bf8-a753-53c115e0cec1, request="GET /subscription/status"
2020-10-13 18:07:20,165 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:685 - Making request: GET /subscription/users/rhsm-client/owners
2020-10-13 18:07:20,166 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:570 - Loaded CA certificates from /etc/rhsm/ca/: rhsm-auto8-candlepin.pem, rhsm-auto8-gate-candlepin.pem, redhat-entitlement-authority.pem, redhat-uep.pem
2020-10-13 18:07:20,732 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:779 - Response time: 0.298846960067749, Smoothed response time: 0.29954133033752445
2020-10-13 18:07:20,732 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:756 - Response: status=401, requestUuid=bb11a176-966e-446d-bb74-b4de5aa6cd3e, request="GET /subscription/users/rhsm-client/owners"
2020-10-13 18:07:20,732 [ERROR] rhn-migrate-classic-to-rhsm:981821:MainThread @migrate.py:299 - HTTP error (401 - Unauthorized): Invalid user credentials
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/migrate/migrate.py", line 297, in get_org
    owner_list = self.cp.getOwnerList(username)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 1306, in getOwnerList
    return self.conn.request_get(method)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 880, in request_get
    return self._request("GET", method, headers=headers, cert_key_pairs=cert_key_pairs)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 906, in _request
    info=info, headers=headers, cert_key_pairs=cert_key_pairs)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 765, in _request
    self.validateResponse(result, request_type, handler)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 839, in validateResponse
    raise RestlibException(response['status'], error_msg, response.get('headers'))
rhsm.connection.RestlibException: HTTP error (401 - Unauthorized): Invalid user credentials

Actual results:
  above - Unable to connect to certificate server: HTTP error (401 - Unauthorized): Invalid user credentials.  See /var/log/rhsm/rhsm.log for more details.

Expected results:
  expected the rhn-migrate-classic-to-rhsm tool to prompt me for a destination username and destination password



Additional info:

Notice below that when I explicitly pass the destination url as an argument, then the tool interactively prompts me for destination credentials and migration is successful.  This is a workaround...

[root@kvm-06-guest36 ~]# rhn-migrate-classic-to-rhsm --force --destination-url=https://subscription.rhsm.stage.redhat.com:443/subscription
Legacy username: rhsm-client
Legacy password: 
Destination username: stage_auto_testuser
Destination password: 

Retrieving existing legacy subscription information...

+-----------------------------------------------------+
System is currently subscribed to these legacy channels:
+-----------------------------------------------------+
rhel-x86_64-baseos-8

+-----------------------------------------------------+
Installing product certificates for these legacy channels:
+-----------------------------------------------------+
rhel-x86_64-baseos-8

Product certificates installed successfully to /etc/pki/product.

Preparing to unregister system from legacy server...
System successfully unregistered from legacy server.
Stopping and disabling legacy services...

Attempting to register system to destination server...
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
The system has been registered with ID: 3a452eb6-e934-4656-8b04-1f41bfff851e
The registered system name is: kvm-06-guest36.hv2.lab.eng.bos.redhat.com
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

System 'kvm-06-guest36.hv2.lab.eng.bos.redhat.com' successfully registered.

[root@kvm-06-guest36 ~]#

Comment 2 John Sefler 2020-10-14 00:50:13 UTC
As I think more about this test report and reflect on the original design for rhn-migrate-classic-to-rhsm, I believe this is working as designed and here is why...  Since the server that is configured in the rhsm.conf file is a regex match for both hosted entitlement servers (subscription.rhsm(.stage).redhat.com), the assumption is that the user credentials that were used to register the system to the old hosted RHN would be the same credentials as used in the migration to the new RHSM.  Therefore, it makes sense that the rhn-migrate-classic-to-rhsm did not prompt me for destination credentials in comment 0 because the assumption is that the migration from the old RHN to the new RHSM would use the same Red Hat account.  That is why the rhsm.log file encounters a 401 Unauthorized on request="GET /subscription/users/rhsm-client/owners".  In fact, the purpose for the --destination-url argument was intended to specify a non-hosted account, e.g. an onpremise satellite6 server.

This explains the behavior in comment 0 and comment 1 and is therefore working as has always been designed.  So the question now is... why is this being reported now?  The answer is because RHSMQE has test coverage for this scenario that has traditionally been executed as a tier3 test against a local onpremise candlepin whose url is not a match to subscription.rhsm(.stage).redhat.com.  Due to recent initiatives by RHSMQE to start executing tier3 tests against stage, this test failure arose.

I vote to move this to CLOSED NOTABUG.

Comment 3 Rehana 2020-10-20 13:41:55 UTC
As per comment 2, closing this as not a bug.


Note You need to log in before you can comment on or make changes to this bug.