Description of problem: [root@sun-v20z-01 ~]# subscription-manager-cli list --available Peer certificate commonName does not match host, expected statler.usersys.redhat.com, got XX seeing this in my tomcat6 log.. not sure if its related.. Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====RequestBody==== Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - null Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Headers==== Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - host: statler.usersys.redhat.com:8443 Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept-encoding: identity Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-length: 4 Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-type: application/json Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept: application/json Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Response==== Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Status: 401 Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Response Body:{"exceptionMessage":{"displayMessage":"Invalid username or password"}} Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Request: 'GET https://statler.usersys.redhat.com:8443/candlepin/consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials' Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====RequestBody==== Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - null Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Headers==== Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - host: statler.usersys.redhat.com:8443 Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept-encoding: identity Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-length: 4 Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-type: application/json Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept: application/json Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Response==== Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Status: 401 Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Response Body:{"exceptionMessage":{"displayMessage":"Invalid username or password"}} ^C [candlepin@statler proxy]$
This is from an old certificate still existing in the tomcat keystore. I've updated the deploy script to add a FORCECERT option, so you can redo all certificates. Note that after using FORCECERT, you'll have to delete /etc/pki/consumer/* for your client machines (I think this might be a client bug; will have to investigate). example usage: FORCECERT=1 HOSTNAME=localhost buildconf/scripts/deploy now when you configure your clients to connect to localhost, they won't complain about ssl.
[candlepin@statler proxy]$ FORCECERT=1 HOSTNAME=statler.usersys.redhat.com buildconf/scripts/deploy Stopping tomcat6: [ OK ] (in /candlepin/candlepin/proxy, development) Cleaning candlepin Building candlepin Compiling candlepin into /candlepin/candlepin/proxy/target/classes Note: Some input files use unchecked or unsafe operations. Note: Recompile with -Xlint:unchecked for details. Compiling candlepin:test into /candlepin/candlepin/proxy/target/test/classes Note: /candlepin/candlepin/proxy/src/test/java/org/fedoraproject/candlepin/service/impl/test/DefaultEntitlementCertServiceAdapterTest.java uses unchecked or unsafe operations. Note: Recompile with -Xlint:unchecked for details. Instrumenting classes with emma metadata file /candlepin/candlepin/proxy/reports/emma/coverage.em redefining Project Skipping tests for candlepin Packaging candlepin Packaging candlepin-api-0.0.6.jar Packaging candlepin-0.0.6.war Completed in 10.172s + CERTS_HOME=/etc/candlepin/certs + CA_KEY=/etc/candlepin/certs/candlepin-ca.key + CA_CERT=/etc/candlepin/certs/candlepin-ca.crt + rpm -q openssl + '[' 0 -ne 0 ']' + '[' '!' -d /etc/candlepin/certs ']' + HOSTNAME=statler.usersys.redhat.com + '[' -f /etc/candlepin/certs/candlepin-ca.key ']' + echo 'Creating CA private key' Creating CA private key + sudo openssl genrsa -out /etc/candlepin/certs/candlepin-ca.key 1024 Generating RSA private key, 1024 bit long modulus ....................++++++ ..............................++++++ e is 65537 (0x10001) + echo 'Creating CA certificate' Creating CA certificate + sudo openssl req -new -x509 -days 365 -key /etc/candlepin/certs/candlepin-ca.key -out /etc/candlepin/certs/candlepin-ca.crt -subj /CN=statler.usersys.redhat.com/C=US/L=Raleigh/ keytool error: java.lang.Exception: Key pair not generated, alias <tomcat> already exists alias already exists. deleting... deleted tomcat. Enter key password for <tomcat> (RETURN if same as keystore password): Key password is too short - must be at least 6 characters Enter key password for <tomcat> (RETURN if same as keystore password): importing ca certificate keytool error: java.lang.Exception: Certificate not imported, alias <candlepin_ca_crt> already exists alias already exists. deleting... deleted candlepin_ca_crt. importing ca certificate Owner: L=Raleigh, C=US, CN=statler.usersys.redhat.com Issuer: L=Raleigh, C=US, CN=statler.usersys.redhat.com Serial number: cdec4c748955bc74 Valid from: Mon May 03 11:25:02 EDT 2010 until: Tue May 03 11:25:02 EDT 2011 Certificate fingerprints: MD5: 5C:51:97:A5:AA:00:1A:DF:8D:0F:89:57:65:FA:74:4C SHA1: 48:D8:9C:82:A3:45:23:8D:DC:DD:D4:71:37:9B:8F:1C:C9:67:4D:DF Signature algorithm name: SHA1withRSA [root@iolo ~]# subscription-manager-cli register --user=wd --pass=asdf 84b649c7-1a15-40ad-94e7-0bd71c9c5b9a admin wd [root@iolo ~]# subscription-manager-cli list --available Peer certificate commonName does not match host, expected statler.usersys.redhat.com, got XX [root@iolo ~]# rm -Rf /etc/pki/consumer/ cert.pem key.pem [root@iolo ~]# rm -Rf /etc/pki/consumer/* [root@iolo ~]# subscription-manager-cli register --user=wd --pass=asdf f2a4d0ea-6e5e-4139-a3e9-4f41ee857b2b admin wd [root@iolo ~]# subscription-manager-cli list --available productName endDate id quantity ------------------------------------------------------------------------------------------------------ SPACEWALK-001 Tue Jul 13 00:00:00 2010 1 20000 monitoring Tue Jul 13 00:00:00 2010 2 20000 provisioning Tue Jul 13 00:00:00 2010 3 20000 virtualization_host Tue Jul 13 00:00:00 2010 4 20000 virtualization_host_platform Tue Jul 13 00:00:00 2010 5 20000 [root@iolo ~]# verified.. wdh
Group move of VERIFIED Candlepin component bugs to RELEASE_PENDING
I am closing out some old bugs from 2015. So, closing these out as current release. If this is still an issue for me, please reach out.