RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1971995 - [RFE] Improved error messages with subscription-manager
Summary: [RFE] Improved error messages with subscription-manager
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: subscription-manager
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: beta
: 8.8
Assignee: Pino Toscano
QA Contact: Red Hat subscription-manager QE Team
Jacob Taylor Valdez
URL:
Whiteboard:
: 1712796 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-15 00:27 UTC by Rich Jerrido
Modified: 2023-05-16 11:09 UTC (History)
5 users (show)

Fixed In Version: subscription-manager-1.28.35-1.el8
Doc Type: Release Note
Doc Text:
Clone Of:
: 2126981 (view as bug list)
Environment:
Last Closed: 2023-05-16 09:07:12 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github candlepin subscription-manager pull 3163 0 None Merged [1.28] [1971995] ENT-5345: improve various error messages 2022-12-12 11:54:07 UTC
Red Hat Issue Tracker ENT-5345 0 None None None 2022-09-15 03:36:32 UTC
Red Hat Knowledge Base (Solution) 4197301 0 Troubleshoot None System Certificates Corrupted 2022-12-12 14:49:31 UTC
Red Hat Product Errata RHBA-2023:2984 0 None None None 2023-05-16 09:07:36 UTC

Description Rich Jerrido 2021-06-15 00:27:59 UTC 
In many cases with complex environments, especially those with proxy servers, users will get had to decipher error messages with subscription-manager. 

This RFE covers improving the sometimes cryptic error messages of

“Invalid credentials.”
• Corresponded KBase as https://access.redhat.com/solutions/2435981

And 
“Network error. Please check the connection details, or see /var/log/rhsm/rhsm.log
for more information.”
• Corresponded KBase as https://access.redhat.com/articles/4398051

In both scenarios, additional troubleshooting steps could be provided in the error message itself. 

Alternatively, the error message can direct the user to the corresponding KCS document.
Comment 2 Pino Toscano 2022-09-15 03:36:32 UTC 
Following an internal team discussion, we decided to improve some of the error messages to print more information on what actually happened. This should be hopefully helpful and actionable for users.

In particular, this BZ will cover the following cases:


* "Network error, unable to connect to server. Please see ..."

This represents a number of network related issues.

For any error related to the network name resolution, the proposed error message is:
| Network error: <error message> (error code <error code>)

for example:
| Network error: Name or service not known (error code -2)

For any error related to the network connection itself, the proposed error message is:
| Connection error: <error message> (error code <error code>)

for example:
| Connection error: Connection refused (error code 111)

In both cases, the error message/code is as reported by the low level network bits in the Linux stack.


* "Network error. Please check the connection details, ..."

Despite the "network” mention, this represents a reply from the server in case the content cannot be parsed as JSON, and the HTTP error code is different than 200, 202, 204, 304, 401, 403, 404, 410, 429, 500, 502, 503, 504.

In case there is a content in the server reply, the proposed error message is:
| Unknown server reply (HTTP error code <error code>: <error message>):
| <content>

for example:
| Unknown server reply (HTTP error code 400: Bad Request):
| <html>
| <body>
| [etc]

In case there is no content in the server reply, the proposed error message is:
| Unknown server reply (HTTP error code <error code>: <error message>)

for example:
| Unknown server reply (HTTP error code 400: Bad Request)


* "Proxy connection failed, please check your settings."

This represents errors related to the connection to the proxy server.

For any error related to the network name resolution of the proxy server, the proposed error message is:
| Proxy error: proxy_hostname:proxy_port: <error message> (error code <error code>)

for example:
| Proxy error: proxy_hostname:proxy_port: Name or service not known (error code -2)

For any error related to the connection to the proxy server, the proposed error message is:
| Proxy error: unable to connect to proxy_hostname:proxy_port: <error message> (error code <error code>)

for example:
| Proxy error: unable to connect to proxy_hostname:proxy_port: Connection refused (error code 111)

The error message/code is as reported by the low level network bits in the Linux stack.


* "Unable to reach the server at <host>:<port>/<path>”

This error is printed when the initial connection to the entitlement server cannot be established; usually they refer to proxy errors.

For any error related to the connection to the proxy server, the proposed error message is:
| Unable to reach the server at hostname:port/path: <error message>

for example:
| Unable to reach the server at hostname:port/path: Tunnel connection failed: 500 Unable to connect
| Unable to reach the server at hostname:port/path: Tunnel connection failed: 407 Proxy Authentication Required


* "Bad CA certificate: <file>”

This error is printed when any of the .pem files in the CA directory of subscription-manager (the default is /etc/rhsm/ca/) is not a valid PEM file with certificates. This generally should not happen, unless a custom faulty certificate is added to that directory.

The proposed error message is:
| Bad CA certificate: <file>: <error message>

for example:
| Bad CA certificate: <file>: [X509] no certificate or crl found (_ssl.c:3771)

The error message is what is reported by the Python ssl module or OpenSSL directly.


* "System certificates corrupted. Please reregister."

This error is printed when any of the products .pem files in /etc/pki/product-default/ is not a valid PEM file with certificates. This generally should not happen, as the certificates in that directory are provided by Red Hat.

The proposed error message is:
| Bad product certificate: <file>: <error message>

for example:
| Bad product certificate: <file>: [X509] no certificate or crl found (_ssl.c:3771)

The error message is what is reported by the Python ssl module or OpenSSL directly.
Comment 3 Pino Toscano 2022-12-12 14:49:31 UTC 
*** Bug 1712796 has been marked as a duplicate of this bug. ***
Comment 14 John Sefler 2023-01-24 16:35:10 UTC 
Note: The changes introduced by this RFE are informational (not functional), hence there are many string changes that include dynamic reasons and codes as returned by the server that were previously buried in the rhsm.log file and are now presented to the user on the command line.  These design details were presented in comment 2.

Here is one simple example of the information presented by subscription-manager on the command line before and after the changes for this RFE...

BEFORE fix for RFE Bug 1971995:
[root@rhel87 ~]# rpm -q subscription-manager
subscription-manager-1.28.32-1.el8.aarch64
[root@rhel87 ~]# subscription-manager register --proxy=foo
Proxy connection failed, please check your settings.
[root@rhel87 ~]# 

AFTER fix for RFE Bug 1971995:
[root@rhel88 ~]# rpm -q subscription-manager
subscription-manager-1.28.35-1.el8.aarch64
[root@rhel88 ~]# subscription-manager register --proxy=foo
Proxy error: unable to connect to foo:3128: Name or service not known (error code -2)
[root@rhel88 ~]# 

VERIFIED: The new message explains with detail that the system was "unable to connect to foo:3128" which includes the poorly specified proxy server "foo" and a reason why it was poor "Name or service not known".  An error code was also shared.  This new informative message exceeds the original "Proxy connection failed, please check your settings".

Moving to VERIFIED based on the automated test results in comment 12 and comment 13 above.
Comment 18 errata-xmlrpc 2023-05-16 09:07:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2984
Note You need to log in before you can comment on or make changes to this bug.