RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2095301 - RFE: For dnf operations against Red Hat CDN, enable OCSP stapling verification [rhel-9.0.0.z]
Summary: RFE: For dnf operations against Red Hat CDN, enable OCSP stapling verificatio...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: subscription-manager
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 9.0
Assignee: Pino Toscano
QA Contact: Red Hat subscription-manager QE Team
URL:
Whiteboard:
Depends On: 2075455
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-09 13:34 UTC by RHEL Program Management Team
Modified: 2022-08-09 10:30 UTC (History)
8 users (show)

Fixed In Version: subscription-manager-1.29.26.1-1.el9_0
Doc Type: Enhancement
Doc Text:
Clone Of: 2075455
Environment:
Last Closed: 2022-08-09 10:30:43 UTC
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github candlepin subscription-manager pull 3067 0 None Merged [1.29.26] 2095301: enable sslverifystatus on repos if advertized by CP 2022-06-10 07:31:30 UTC
Red Hat Issue Tracker RHELPLAN-124801 0 None None None 2022-06-09 13:56:13 UTC
Red Hat Product Errata RHBA-2022:5944 0 None None None 2022-08-09 10:30:46 UTC

Comment 1 Zdenek Petracek 2022-06-21 13:01:30 UTC 
Pre-verification:

Scenario1:Verify the "sslverifystatus" is added to each repos in /etc/yum.repos.d/redhat.repo when candlepin supports the "ssl_verify_status" capability	

Version:
[root@kvm-02-guest24 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 3.2.22-1
subscription management rules: 5.41
subscription-manager: 1.29.26+3.g56568472e-1.git.0.df26db4

copying certs:
[root@newcandlepin ~]# scp /home/candlepin/candlepin/generated_certs/3* kvm-02-guest24.rhts.eng.brq.redhat.com:/etc/pki/product/
The authenticity of host 'kvm-02-guest24.rhts.eng.brq.redhat.com (10.37.153.98)' can't be established.
ECDSA key fingerprint is SHA256:4ApbYwams2kpQrLoC22WgcLsApvLGlAkpccDJbCnU1Q.
ECDSA key fingerprint is MD5:0b:f0:5e:ec:e7:69:61:08:e1:d9:e8:ed:00:07:6a:4b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kvm-02-guest24.rhts.eng.brq.redhat.com,10.37.153.98' (ECDSA) to the list of known hosts.
root.eng.brq.redhat.com's password: 
32060.pem                                                                                                                               100% 2090    11.2KB/s   00:00    
37060.pem                                                                                                                               100% 2078    11.5KB/s   00:00    
37062.pem                                                                                                                               100% 2098    12.7KB/s   00:00    
37065.pem                                                                                                                               100% 2082    11.2KB/s   00:00    
37067.pem                                                                                                                               100% 2090    12.7KB/s   00:00    
37068.pem                                                                                                                               100% 2094    12.7KB/s   00:00    
37069.pem                                                                                                                               100% 2082    12.6KB/s   00:00    
37070.pem                                                                                                                               100% 2090    12.7KB/s   00:00    
37080.pem                                                                                                                               100% 2078    12.6KB/s   00:00    
37090.pem                                                                                                                               100% 2074    12.6KB/s   00:00    
37091.pem                                                                                                                               100% 2074    12.5KB/s   00:00    
38070.pem                                                                                                                               100% 2074    12.6KB/s   00:00    
38072.pem                                                                                                                               100% 2061    12.5KB/s   00:00    

[root@newcandlepin ~]# scp /etc/candlepin/certs/candlepin-ca.crt kvm-02-guest24.rhts.eng.brq.redhat.com:/etc/rhsm/ca/candlepin-ca.pem
root.eng.brq.redhat.com's password: 
candlepin-ca.crt                                                                                                                        100% 2029    12.0KB/s   00:00    

registering to candlepin server:
[root@kvm-02-guest24 ~]# subscription-manager register
Registering to: 10.70.35.79:8443/candlepin
Username: admin
Password: 
Hint: User "admin" is member of following organizations: admin, snowwhite, donaldduck
Organization: snowwhite
The system has been registered with ID: f23d316c-2e91-4cb9-ba3e-1841b5659e68
The registered system name is: kvm-02-guest24.rhts.eng.brq.redhat.com

[root@kvm-02-guest24 ~]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Awesome OS Instance Server Bits
Status:       Subscribed

Product Name: Awesome OS Server Bits
Status:       Subscribed
.
.
.

[root@kvm-02-guest24 ~]# cat /etc/yum.repos.d/redhat.repo
#
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
#
# *** This file is auto-generated.  Changes made here will be over-written. ***
# *** Use "subscription-manager repo-override --help" if you wish to make changes. ***
#
# If this file is empty and this system is subscribed consider
# a "yum repolist" to refresh available repos
#

[content-label-no-gpg-37060]
name = content-nogpg-37060
baseurl = https://cdn.redhat.com/foo/path/no_gpg/37060234
enabled = 0
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/redhat-uep.pem
sslclientkey = /etc/pki/entitlement/7691419403284580053-key.pem
sslclientcert = /etc/pki/entitlement/7691419403284580053.pem
sslverifystatus = 1
enabled_metadata = 0
^ sslverifystatus is set to 1 --> PASSED

Scenario2:Verify after revoking the OCSP stapling capabilities from candlepin, the redhat.repo file is refreshed and "sslverifystatus'is removed from the repo details section	
	
copying certs:
[root@newcandlepin ~]# scp /home/candlepin/candlepin/generated_certs/3* kvm-02-guest24.rhts.eng.brq.redhat.com:/etc/pki/product/
The authenticity of host 'kvm-02-guest24.rhts.eng.brq.redhat.com (10.37.153.98)' can't be established.
ECDSA key fingerprint is SHA256:4ApbYwams2kpQrLoC22WgcLsApvLGlAkpccDJbCnU1Q.
ECDSA key fingerprint is MD5:0b:f0:5e:ec:e7:69:61:08:e1:d9:e8:ed:00:07:6a:4b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kvm-02-guest24.rhts.eng.brq.redhat.com,10.37.153.98' (ECDSA) to the list of known hosts.
root.eng.brq.redhat.com's password: 
32060.pem                                                                                                                               100% 2090    11.2KB/s   00:00    
37060.pem                                                                                                                               100% 2078    11.5KB/s   00:00    
37062.pem                                                                                                                               100% 2098    12.7KB/s   00:00    
37065.pem                                                                                                                               100% 2082    11.2KB/s   00:00    
37067.pem                                                                                                                               100% 2090    12.7KB/s   00:00    
37068.pem                                                                                                                               100% 2094    12.7KB/s   00:00    
37069.pem                                                                                                                               100% 2082    12.6KB/s   00:00    
37070.pem                                                                                                                               100% 2090    12.7KB/s   00:00    
37080.pem                                                                                                                               100% 2078    12.6KB/s   00:00    
37090.pem                                                                                                                               100% 2074    12.6KB/s   00:00    
37091.pem                                                                                                                               100% 2074    12.5KB/s   00:00    
38070.pem                                                                                                                               100% 2074    12.6KB/s   00:00    
38072.pem                                                                                                                               100% 2061    12.5KB/s   00:00    

[root@newcandlepin ~]# scp /etc/candlepin/certs/candlepin-ca.crt kvm-02-guest24.rhts.eng.brq.redhat.com:/etc/rhsm/ca/candlepin-ca.pem
root.eng.brq.redhat.com's password: 
candlepin-ca.crt                                                                                                                        100% 2029    12.0KB/s   00:00    

registering to candlepin server:
[root@kvm-02-guest24 ~]# subscription-manager register
Registering to: 10.70.35.79:8443/candlepin
Username: admin
Password: 
Hint: User "admin" is member of following organizations: admin, snowwhite, donaldduck
Organization: snowwhite
The system has been registered with ID: f23d316c-2e91-4cb9-ba3e-1841b5659e68
The registered system name is: kvm-02-guest24.rhts.eng.brq.redhat.com

[root@kvm-02-guest24 ~]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Awesome OS Instance Server Bits
Status:       Subscribed

Product Name: Awesome OS Server Bits
Status:       Subscribed
.
.
.

[root@kvm-02-guest24 ~]# cat /etc/yum.repos.d/redhat.repo
#
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
#
# *** This file is auto-generated.  Changes made here will be over-written. ***
# *** Use "subscription-manager repo-override --help" if you wish to make changes. ***
#
# If this file is empty and this system is subscribed consider
# a "yum repolist" to refresh available repos
#

[content-label-no-gpg-37060]
name = content-nogpg-37060
baseurl = https://cdn.redhat.com/foo/path/no_gpg/37060234
enabled = 0
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/redhat-uep.pem
sslclientkey = /etc/pki/entitlement/7691419403284580053-key.pem
sslclientcert = /etc/pki/entitlement/7691419403284580053.pem
sslverifystatus = 1
enabled_metadata = 0

manually configuring repolib.py
[root@kvm-02-guest24 ~]# grep has_ssl_verify_status /usr/lib64/python3.9/site-packages/subscription_manager/repolib.py
        has_ssl_verify_status = self.get_consumer_auth_cp().has_capability("ssl_verify_status")
            if has_ssl_verify_status:
	has_ssl_verify_status = False

[root@kvm-02-guest24 ~]# yum repolist
.
.

[root@kvm-02-guest24 ~]# cat /etc/yum.repos.d/redhat.repo
#
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
#
# *** This file is auto-generated.  Changes made here will be over-written. ***
# *** Use "subscription-manager repo-override --help" if you wish to make changes. ***
#
# If this file is empty and this system is subscribed consider
# a "yum repolist" to refresh available repos
#

[content-label-no-gpg-37060]
name = content-nogpg-37060
baseurl = https://cdn.redhat.com/foo/path/no_gpg/37060234
enabled = 0
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/redhat-uep.pem
sslclientkey = /etc/pki/entitlement/7691419403284580053-key.pem
sslclientcert = /etc/pki/entitlement/7691419403284580053.pem
sslverifystatus = 0
enabled_metadata = 0
.
.
.
^ sslverifystatus is set to 0 after manually configuring repolib.py --> PASSED

Scenario3:Verify the "sslverifystatus" is added to each repos and works with Proxy	

confoguring proxy:
[root@kvm-02-guest24 ~]# subscription-manager config --server.proxy_hostname=auto-services.usersys.redhat.com --server.proxy_port=3127 --server.proxy_user=redhat --server.proxy_password=redhat --server.proxy_scheme=https

Registering against stage:
[root@kvm-02-guest24 ~]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracePH03
Password: 
The system has been registered with ID: f6c2c673-e78d-4656-9900-739f9a7a0338

[root@kvm-02-guest24 ~]# grep has_ssl_verify_status /usr/lib64/python3.9/site-packages/subscription_manager/repolib.py
        has_ssl_verify_status = self.get_consumer_auth_cp().has_capability("ssl_verify_status")
            if has_ssl_verify_status:
has_ssl_verify_status = True

[root@kvm-02-guest24 ~]# yum install zsh
Failed loading plugin "product-id": unexpected indent (repolib.py, line 521)
Failed loading plugin "subscription-manager": unexpected indent (repolib.py, line 521)
Last metadata expiration check: 0:31:45 ago on Tue 21 Jun 2022 02:22:35 PM CEST.
Dependencies resolved.
==========================================================================================================================================================================
 Package                             Architecture                           Version                                   Repository                                     Size
==========================================================================================================================================================================
Installing:
 zsh                                 x86_64                                 5.8-9.el9                                 beaker-BaseOS                                 3.2 M

Transaction Summary
.
.
.


[zpetracek@fedora ~]$  ssh root.redhat.com
The authenticity of host 'auto-services.usersys.redhat.com (10.8.30.63)' can't be established.
ED25519 key fingerprint is SHA256:oiv0PSJXlOdzfc1F8/mk82Gd+mfUukV58jPUf7O02HE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'auto-services.usersys.redhat.com' (ED25519) to the list of known hosts.
root.redhat.com's password: 
client_global_hostkeys_private_confirm: server gave bad signature for RSA key 0: error in libcrypto
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Tue Jun 21 08:05:59 2022 from 10.40.193.145
^ I was able to see the traffic --> PASSED
Comment 5 Archana Pandey 2022-07-26 10:45:58 UTC 
Final verification on subscription-manager-1.29.26.1-1.el9_0.x86_64

 Beaker Test information:
                         HOSTNAME=sweetpig-19.4a2m.lab.eng.bos.redhat.com
                            JOBID=6839502
                         RECIPEID=12324957
                    RESULT_SERVER=
                           DISTRO=RHEL-9.0.0
                     ARCHITECTURE=x86_64

>> verifying presence of flag  'sslverifystatus = 1' in repo file when server supports the  ssl_verify_status capability -

[arpandey@ovpn-9-48 ~]$ curl --stderr /dev/null --insecure --user admin:admin --request GET 'https://archana-candlepin.usersys.redhat.com:8443/candlepin/status' | python -m json.tool
{
    "mode": "NORMAL",
    "modeReason": null,
    "modeChangeTime": null,
    "result": true,
    "version": "4.2.4",
    "release": "1",
    "standalone": false,
    "timeUTC": "2022-07-25T07:15:31-0400",
    "rulesSource": "default",
    "rulesVersion": "5.43",
    "managerCapabilities": [
        "instance_multiplier",
        "derived_product",
        "vcpu",
        "cert_v3",
        "hypervisors_heartbeat",
        "remove_by_pool_id",
        "syspurpose",
        "storage_band",
        "cores",
        "ssl_verify_status",
        "multi_environment",
        "hypervisors_async",
        "org_level_content_access",
        "guest_limit",
        "ram",
        "batch_bind"
    ],
    "keycloakRealm": null,
    "keycloakAuthUrl": null,
    "keycloakResource": null
}
[arpandey@ovpn-9-48 ~]$ 

[root@sweetpig-19 ~]# 
[root@sweetpig-19 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.4-1
subscription management rules: 5.43
subscription-manager: 1.29.26.1-1.el9_0
[root@sweetpig-19 ~]# 
[root@sweetpig-19 ~]# subscription-manager register --username ***** --password *****
Registering to: archana-candlepin.usersys.redhat.com:8443/candlepin
Hint: User "*****" is member of following organizations: snowwhite, admin
Organization: snowwhite
The system has been registered with ID: 7c873c51-e360-4a60-9b85-a671577d3b4f
The registered system name is: sweetpig-19.4a2m.lab.eng.bos.redhat.com
[root@sweetpig-19 ~]# 
[root@sweetpig-19 ~]# 
[root@sweetpig-19 ~]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Disabled
Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status.

System Purpose Status: Disabled

[root@sweetpig-19 ~]# grep '^baseurl = https://cdn\.redhat\.com/' /etc/yum.repos.d/redhat.repo | wc -l
89
[root@sweetpig-19 ~]# grep '^sslverifystatus = 1' /etc/yum.repos.d/redhat.repo | wc -l
89                           << sslverifystatus flag is present in repo file
[root@sweetpig-19 ~]# 


----------------------------------------------------------------------------------------------------------------------


>> removing ssl_verify_status capability from server and then verifying removal of 'sslverifystatus = 1' flag from repo file 

steps to verify- 
[arpandey@ovpn-9-48 ~]$ curl --stderr /dev/null --insecure --user admin:admin --request GET 'https://archana-candlepin.usersys.redhat.com:8443/candlepin/status' | python -m json.tool
{
    "mode": "NORMAL",
    "modeReason": null,
    "modeChangeTime": null,
    "result": true,
    "version": "4.2.4",
    "release": "1",
    "standalone": false,
    "timeUTC": "2022-07-25T07:51:00-0400",
    "rulesSource": "default",
    "rulesVersion": "5.43",
    "managerCapabilities": [
        "instance_multiplier",
        "derived_product",
        "vcpu",
        "cert_v3",
        "hypervisors_heartbeat",
        "remove_by_pool_id",
        "syspurpose",
        "storage_band",
        "cores",
        "multi_environment",
        "hypervisors_async",
        "org_level_content_access",
        "guest_limit",
        "ram",
        "batch_bind"
    ],
    "keycloakRealm": null,
    "keycloakAuthUrl": null,
    "keycloakResource": null
}
[root@sweetpig-19 ~]# 
[root@sweetpig-19 ~]# subscription-manager register --username ****** --password ***** --org *****
Registering to: archana-candlepin.usersys.redhat.com:8443/candlepin
The system has been registered with ID: b0834227-3f7d-4661-9de7-a4c2d4b1d564
The registered system name is: sweetpig-19.4a2m.lab.eng.bos.redhat.com
[root@sweetpig-19 ~]# 
[root@sweetpig-19 ~]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Disabled
Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status.

System Purpose Status: Unknown

>> Now verify that  ‘sslverifystatus =1’ flag is not present in repo file
[root@sweetpig-19 ~]# grep '^baseurl = https://cdn\.redhat\.com/' /etc/yum.repos.d/redhat.repo | wc -l
89
[root@sweetpig-19 ~]# grep '^sslverifystatus = 1' /etc/yum.repos.d/redhat.repo | wc -l
0                                         <<< sslverifystatus flag removed
[root@sweetpig-19 ~]# 

Based on above evidences, verified that 'sslverifystatus = 1' flag is getting added and removed in repo file as per the capability supported in server.

Verification : PASSED
Comment 9 errata-xmlrpc 2022-08-09 10:30:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5944
Note You need to log in before you can comment on or make changes to this bug.