Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1967781

Summary: subscription-manager-rhsm-certificates is missing the certificates
Product: Red Hat Enterprise Linux 8 Reporter: Brian Lane <bcl>
Component: subscription-managerAssignee: Carl George 🎩 <carl>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: apevec, bstinson, carl, jwboyer, ptoscano, redakkan
Target Milestone: betaKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: subscription-manager-1.28.19-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:06:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian Lane 2021-06-03 22:13:07 UTC 
Description of problem:

Trying to register a CentOS stream 8 system using my employee account and the staging server returns:

Error: CA certificate for subscription service has not been installed.

The subscription-manager-rhsm-certificates package only has empty directories included:

# rpm -ql subscription-manager-rhsm-certificates
/etc/rhsm
/etc/rhsm/ca

# rpm -q subscription-manager-rhsm-certificates
subscription-manager-rhsm-certificates-1.28.16-1.el8.x86_64


But on Fedora 33 this works fine, and subscription-manager-rhsm-certificates included:

# rpm -ql subscription-manager-rhsm-certificates
/etc/rhsm
/etc/rhsm/ca
/etc/rhsm/ca/redhat-entitlement-authority.pem
/etc/rhsm/ca/redhat-uep.pem
Comment 1 Brian Stinson 2021-07-16 16:50:41 UTC 
We can relax our debranding in CentOS Stream and ship these certificates. Do we know if there's a subscription-manager release bump planned soon?
Comment 2 Pino Toscano 2021-07-19 04:17:05 UTC 
Hi Brian,

can you please list the use cases for registering a CentOS Stream 8 system with Red Hat? Since the Red Hat product certificates are removed as part of the Red Hat debranding in CentOS (e.g. [1]), having the use cases explicitly known will help to decide whether to keep them or not in CentOS as branding exception.
(I'm not arguing against this BTW, merely asking for the use cases for public recording here.)

Thanks in advance!

[1] https://git.centos.org/rpms/subscription-manager/c/3dfccf9f6f91422bcbe01e6fba2cf1b03ef69f21?branch=c8s
Comment 3 Pino Toscano 2021-07-19 04:21:10 UTC 
(In reply to Brian Stinson from comment #1)
> We can relax our debranding in CentOS Stream and ship these certificates. Do
> we know if there's a subscription-manager release bump planned soon?

We don't have a regular release cadence, see:
https://github.com/candlepin/subscription-manager/tags
In particular, the 1.28.x versions, taken from the subscription-manager-1.28 branch, are targeted currently at RHEL 8.x.
Comment 4 Brian Lane 2021-07-19 16:12:14 UTC 
(In reply to Pino Toscano from comment #2)
> Hi Brian,
> 
> can you please list the use cases for registering a CentOS Stream 8 system
> with Red Hat? Since the Red Hat product certificates are removed as part of
> the Red Hat debranding in CentOS (e.g. [1]), having the use cases explicitly
> known will help to decide whether to keep them or not in CentOS as branding
> exception.
> (I'm not arguing against this BTW, merely asking for the use cases for
> public recording here.)
> 
> Thanks in advance!
> 
> [1]
> https://git.centos.org/rpms/subscription-manager/c/
> 3dfccf9f6f91422bcbe01e6fba2cf1b03ef69f21?branch=c8s

Sure, it would help developers (me) test new features, and I can imagine it helping in situations where CentOS as a CI platform. My use case is being able to use my employee subscription to test building images using osbuild-composer.
Comment 5 Pino Toscano 2021-07-21 08:27:04 UTC 
Summing up a recent discussion (mostly on IRC) with Carl George:
a) currently, subscription-manager has changes to remove its "Red Hat branding", and to make it disabled by default (see below)
b) anaconda-core requires subscription-manager packages
c) subscription-manager-initial-setup-addon (part of subscription-manager) supplements initial-setup-gui, which is installed by @gnome-desktop (dnf pulls any package that supplements a package to install)
d) the CentOS comps do not install subscription-manager or any of its packages
Because of (b) (and (c), even though that is currently stripped by the branding changes), subscription-manager is installed in GUI installations, and that explains its being disabled by default.

Since we want to have subscription-manager usable in CentOS, the plan we discussed is the following:
1) patch anaconda (which has already CentOS changes) to not require on subscription-manager
2) disable altogether subscription-manager-initial-setup-addon in CentOS: this is done as there is little value to subscribe a non-RHEL system with the initial setup GUI, and it can be done manually later on anyway; Carl opened a PR for subscription-manager to do this [1] (thanks!)
3) remove any branding or changes to subscription-manager in CentOS

With the above changes, subscription-manager should not be pulled automatically anymore; once installed manually, it will be fully functional, as you expect if you install it.

[1] https://github.com/candlepin/subscription-manager/pull/2713
Comment 6 Carl George 🎩 2021-07-22 15:12:50 UTC 
The c8s build of subscription-manager-1.28.19-1.el8 no longer removes the certificates.  Please test that registration works now with this package version.
Comment 7 Brian Lane 2021-07-22 21:38:48 UTC 
(In reply to Carl George 🤠 from comment #6)
> The c8s build of subscription-manager-1.28.19-1.el8 no longer removes the
> certificates.  Please test that registration works now with this package
> version.

Looks good, thanks!