Bug 2044606 - New version of Candlepin now has org in entitlement certificate and causes authorization issues
Summary: New version of Candlepin now has org in entitlement certificate and causes au...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Subscription Management
Version: 6.11.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: 6.11.0
Assignee: Chris Roberts
QA Contact: Danny Synk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-24 19:56 UTC by Chris Roberts
Modified: 2022-07-05 14:32 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2047345 (view as bug list)
Environment:
Last Closed: 2022-07-05 14:32:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 34306 0 Normal Assigned New version of Candlepin now has org in entitlement certificate and causes authorization issues 2022-01-24 19:56:23 UTC
Github Katello katello pull 9902 0 None open Fixes #34306 - Update how we parse CN from subman identity certs 2022-01-24 20:10:46 UTC
Red Hat Bugzilla 2034349 1 None None None 2022-07-05 14:31:28 UTC
Red Hat Product Errata RHSA-2022:5498 0 None None None 2022-07-05 14:32:30 UTC

Internal Links: 2034349

Description Chris Roberts 2022-01-24 19:56:23 UTC 
Description of problem:

With the new build of Candlepin 4.1.10 they have changed the way entitlement certificates are generated. Before they would look like:

Subject: CN=eb48d5a8-b759-417c-97f7-93dc2369de29

Now the new cert looks like:

Subject: O=Default_Organization, CN=eb48d5a8-b759-417c-97f7-93dc2369de29

So we get an unauthorized because of the way we parse the ID which now comes back looking like:

"/O=Default_Organizationeb48d5a8-b759-417c-97f7-93dc2369de29"

This issue is to address the way we grab the CN from the cert so it works for the new version of Candlepin and the older versions.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install nightly devel box or 7.0
2. Upgrade candlepin to 4.1.10 from here https://brewweb.engineering.redhat.com/brew/packageinfo?packageID=30479
3.Follow the steps here to update it: https://theforeman.org/plugins/katello/developers.html#upgrading-candlepin

Actual results:
trying to either register a client or talk to the /rhsm endpoint on Katello returns a 401 unauthorized error. We see the register work the first time since that is user/pass but the 2nd call to the /rshm endpoint fails since we use the identity cert.

Expected results:
Client registrations able to work correctly and not get a 401 unauthorized error

Additional info:

Candlepin team confirmed this change was intentional:

<bcourt> Toledo, yes, adding the org-id to the identity cert was intentional
<bcourt> basically, consistency with the entitlement certs
Comment 2 Bryan Kearney 2022-01-25 20:05:29 UTC 
Upstream bug assigned to chrobert
Comment 3 Bryan Kearney 2022-01-25 20:05:30 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/34306 has been resolved.
Comment 8 Danny Synk 2022-05-04 15:43:20 UTC 
Verified on Satellite 6.11, snap 18.5 running on RHEL 8 (candlepin-4.1.12-1.el8sat.noarch).

Steps to Test:
1. Deploy Satellite 6.11.
2. Register a host to Satellite using the Hosts > Register Hosts workflow.

Expected Results:
The host is registered successfully.

Actual Results:
The host is registered successfully.
Comment 11 errata-xmlrpc 2022-07-05 14:32:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498
Note You need to log in before you can comment on or make changes to this bug.