Bug 616906 - new consumer certs not being created when they should be
new consumer certs not being created when they should be
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager (Show other bugs)
6.1
All Linux
low Severity medium
: rc
: ---
Assigned To: Bryan Kearney
wes hayutin
: RHELNAK
Depends On: 595758
Blocks: 568421
  Show dependency treegraph
 
Reported: 2010-07-21 13:29 EDT by Adrian Likins
Modified: 2011-05-19 09:41 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 09:41:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Adrian Likins 2010-07-21 13:29:31 EDT
With rhsm as oj july 20/21 or so, there seems to be some sort of issue with consumer certs not being updated when a system registers. Even with --force. 

A couple of people saw this when updating to the version of rhsm/candlepin that needed a new cert format.
Comment 2 RHEL Product and Program Management 2010-07-21 13:58:35 EDT
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 3 Ajay Kumar Nadathur Sreenivasan 2010-08-17 12:00:29 EDT
It seems to be working fine. I am not able to re-produce this on my machine. Any scenario/steps are welcome.
Comment 4 John Sefler 2010-09-09 10:37:06 EDT
VERSION:
[root@jsefler-rhel6-client01 ~]# rpm -q subscription-manager
subscription-manager-0.76-1.git.0.fe91dd4.fc12.i386


FOLLOWING THE TESTS BELOW, YOU'LL SEE (BY NOTING THE FILE TIMESTAMPS AND THE VALIDITY DATES WITHIN THE CERT) THAT THE IDENTITY CERT IS INDEED UPDATED WHEN CALLING subscription-manager-cl register w/force AS WELL AS reregister.


[root@jsefler-rhel6-client01 ~]# ls -l /etc/pki/consumer/*
ls: cannot access /etc/pki/consumer/*: No such file or directory
[root@jsefler-rhel6-client01 ~]# subscription-manager-cli register --username=testuser1 --password=password
971722de-9158-4a51-b80f-1ba36eb97ed1 testuser1
[root@jsefler-rhel6-client01 ~]# ls -l /etc/pki/consumer/*
-rw-r--r--. 1 root root 1269 Sep  9 10:28 /etc/pki/consumer/cert.pem
-rw-r--r--. 1 root root 1675 Sep  9 10:28 /etc/pki/consumer/key.pem
[root@jsefler-rhel6-client01 ~]# openssl x509 -text -noout -in /etc/pki/consumer/cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 163 (0xa3)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=jsefler-f12-candlepin.usersys.redhat.com, C=US, L=Raleigh
        Validity
            Not Before: Sep  9 14:28:33 2010 GMT
            Not After : Sep  9 14:28:33 2011 GMT
        Subject: CN=971722de-9158-4a51-b80f-1ba36eb97ed1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:94:a9:be:bf:a4:14:e2:1e:ad:71:e6:aa:65:47:
                    64:16:09:f6:65:61:86:fa:1b:38:3e:11:ab:5d:c9:
                    ef:1c:e0:4f:80:b9:8d:51:2c:8e:ce:6f:7c:ba:e8:
                    59:0a:d3:ef:d0:02:d7:23:87:1a:e7:4a:37:5d:e0:
                    5a:12:a2:57:8e:0b:a2:14:81:43:d3:f3:6e:fd:3f:
                    03:c3:a0:fb:f6:67:cc:d9:3a:62:16:de:2f:4a:1a:
                    b0:78:7b:8c:37:78:99:5e:4f:0b:a9:b3:c3:91:ae:
                    ac:0f:70:d3:ce:34:79:39:56:5a:5e:c9:dc:31:94:
                    a9:ee:ad:65:56:29:ae:4f:84:f7:ca:1b:c3:74:6b:
                    ab:ad:df:80:b2:36:8c:93:a1:2f:5c:4e:6d:32:fc:
                    7a:da:da:e2:a3:87:e0:3c:2a:ee:e5:65:b3:51:c7:
                    ba:98:b8:4b:67:03:8e:c0:f1:97:74:80:65:ec:9f:
                    7e:c0:92:c3:ba:ab:11:a3:53:64:03:3c:de:68:a6:
                    fa:c8:21:09:63:57:0c:da:51:be:a4:c3:07:d7:32:
                    95:99:a9:9f:c3:ae:d1:57:9a:c5:f2:77:b0:d5:cf:
                    0f:10:48:56:b4:c6:db:87:da:ab:92:7f:15:8b:bd:
                    86:9f:69:a4:3e:ce:86:24:43:d3:91:fd:f3:74:86:
                    bc:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL Client, S/MIME
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Authority Key Identifier: 
                keyid:96:B8:29:58:5D:04:30:FA:E1:3A:95:78:11:7F:0A:BA:C8:97:02:CC
                DirName:/CN=jsefler-f12-candlepin.usersys.redhat.com/C=US/L=Raleigh
                serial:DC:B4:1E:8F:C1:17:95:E6

            X509v3 Subject Key Identifier: 
                BD:A1:9B:DC:29:6F:67:76:ED:0A:C7:A0:14:85:40:CC:D9:7E:DE:E2
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DirName:/CN=testuser1
    Signature Algorithm: sha1WithRSAEncryption
        62:09:fb:ae:01:cb:24:57:67:b0:06:f5:00:4d:0a:6c:d7:d2:
        b9:04:4a:1e:cf:bc:33:a4:4e:c3:b0:a7:f1:47:cc:36:8f:73:
        0d:fc:b9:dc:3b:f7:17:6a:c5:27:87:98:da:71:d8:a7:bc:24:
        50:46:71:c7:2c:29:8e:9b:0a:aa:c8:be:f6:32:fd:e6:f1:71:
        49:b9:d0:5c:00:f3:4c:b8:c6:6c:b2:64:05:28:2c:2a:51:97:
        92:5e:8e:90:e2:c8:c5:2b:b1:4b:6b:e5:d5:a4:5c:48:0d:db:
        83:b5:b0:ed:15:36:4f:53:57:83:62:b2:5e:53:c8:86:c3:17:
        8b:94


[root@jsefler-rhel6-client01 ~]# subscription-manager-cli register --username=testuser1 --password=password --force
368955e0-7882-456a-bc96-1a0f152923af testuser1
[root@jsefler-rhel6-client01 ~]# ls -l /etc/pki/consumer/*
-rw-r--r--. 1 root root 1269 Sep  9 10:29 /etc/pki/consumer/cert.pem
-rw-r--r--. 1 root root 1679 Sep  9 10:29 /etc/pki/consumer/key.pem
[root@jsefler-rhel6-client01 ~]# openssl x509 -text -noout -in /etc/pki/consumer/cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 164 (0xa4)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=jsefler-f12-candlepin.usersys.redhat.com, C=US, L=Raleigh
        Validity
            Not Before: Sep  9 14:29:34 2010 GMT
            Not After : Sep  9 14:29:34 2011 GMT
        Subject: CN=368955e0-7882-456a-bc96-1a0f152923af
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:94:97:42:38:1f:57:ce:ef:12:5a:e8:c2:3a:4d:
                    1e:1a:98:8b:5b:63:4d:bf:c0:7d:a5:7d:60:38:b3:
                    f3:d7:d9:66:e7:3c:3b:51:e1:68:b7:98:56:19:05:
                    b3:93:f4:26:4d:4d:d0:78:70:f7:ac:12:51:bd:d8:
                    f8:68:ac:53:de:63:c8:a7:7d:d0:d0:0d:6e:64:f4:
                    75:cf:8b:4f:0d:10:47:d4:6f:e3:34:d6:de:33:77:
                    9d:e6:9e:62:5b:b6:c2:97:55:b6:33:31:dd:17:75:
                    20:2a:c6:af:75:86:d4:89:b0:40:d2:bc:5c:93:98:
                    71:db:96:e6:9f:33:9a:cd:53:df:fb:fd:77:61:86:
                    14:12:54:fc:ba:f8:f3:92:f2:c2:db:a9:8e:01:22:
                    f1:54:33:8e:f6:ce:92:c3:cb:89:ca:15:1b:78:69:
                    84:2f:55:b5:6f:e1:8d:2e:9f:1a:1b:3f:e4:91:0f:
                    b3:7e:24:2d:c4:62:e0:25:19:43:bb:5b:5e:2f:f1:
                    3f:2a:0c:84:72:02:c2:1c:60:a3:d6:84:4d:bb:74:
                    60:3e:f2:59:93:c5:8c:6d:fd:f3:00:1a:e7:fb:ae:
                    97:db:61:8c:2d:b0:72:60:4e:83:09:e2:9c:ae:5a:
                    50:84:a9:01:da:2b:30:ab:8b:40:36:cf:b1:82:8b:
                    52:3f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL Client, S/MIME
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Authority Key Identifier: 
                keyid:96:B8:29:58:5D:04:30:FA:E1:3A:95:78:11:7F:0A:BA:C8:97:02:CC
                DirName:/CN=jsefler-f12-candlepin.usersys.redhat.com/C=US/L=Raleigh
                serial:DC:B4:1E:8F:C1:17:95:E6

            X509v3 Subject Key Identifier: 
                1A:B7:F9:6D:3E:5B:08:6F:28:AF:1D:9E:95:AE:B6:34:19:3F:6B:80
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DirName:/CN=testuser1
    Signature Algorithm: sha1WithRSAEncryption
        29:72:bd:9b:0f:e8:6e:68:07:30:d0:4b:d4:eb:fe:ec:d4:b7:
        5a:87:04:03:76:7e:98:d5:04:8c:55:ee:d9:7c:2a:ed:0b:fd:
        9f:e0:0e:c0:d8:bf:b5:01:1f:8b:99:80:24:e5:d4:8a:e3:9f:
        85:3e:d8:f4:5b:7b:43:68:6a:80:16:67:31:85:5d:6e:1f:dd:
        fc:dc:2b:ef:3a:52:0e:f8:cc:24:73:59:55:6a:59:d1:d2:37:
        d5:3e:6c:62:f4:8a:0d:74:b1:8f:29:59:57:82:31:8e:bc:2b:
        46:5b:c7:87:49:22:3f:6a:60:2f:03:d1:fc:2c:49:30:7c:16:
        a4:88


[root@jsefler-rhel6-client01 ~]# subscription-manager-cli reregister --username=testuser1 --password=password
Ignoring username and password options. Using old uuid 368955e0-7882-456a-bc96-1a0f152923af
368955e0-7882-456a-bc96-1a0f152923af testuser1
[root@jsefler-rhel6-client01 ~]# ls -l /etc/pki/consumer/*
-rw-r--r--. 1 root root 1269 Sep  9 10:31 /etc/pki/consumer/cert.pem
-rw-r--r--. 1 root root 1679 Sep  9 10:31 /etc/pki/consumer/key.pem
[root@jsefler-rhel6-client01 ~]# openssl x509 -text -noout -in /etc/pki/consumer/cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 165 (0xa5)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=jsefler-f12-candlepin.usersys.redhat.com, C=US, L=Raleigh
        Validity
            Not Before: Sep  9 14:31:17 2010 GMT
            Not After : Sep  9 14:31:17 2011 GMT
        Subject: CN=368955e0-7882-456a-bc96-1a0f152923af
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:94:97:42:38:1f:57:ce:ef:12:5a:e8:c2:3a:4d:
                    1e:1a:98:8b:5b:63:4d:bf:c0:7d:a5:7d:60:38:b3:
                    f3:d7:d9:66:e7:3c:3b:51:e1:68:b7:98:56:19:05:
                    b3:93:f4:26:4d:4d:d0:78:70:f7:ac:12:51:bd:d8:
                    f8:68:ac:53:de:63:c8:a7:7d:d0:d0:0d:6e:64:f4:
                    75:cf:8b:4f:0d:10:47:d4:6f:e3:34:d6:de:33:77:
                    9d:e6:9e:62:5b:b6:c2:97:55:b6:33:31:dd:17:75:
                    20:2a:c6:af:75:86:d4:89:b0:40:d2:bc:5c:93:98:
                    71:db:96:e6:9f:33:9a:cd:53:df:fb:fd:77:61:86:
                    14:12:54:fc:ba:f8:f3:92:f2:c2:db:a9:8e:01:22:
                    f1:54:33:8e:f6:ce:92:c3:cb:89:ca:15:1b:78:69:
                    84:2f:55:b5:6f:e1:8d:2e:9f:1a:1b:3f:e4:91:0f:
                    b3:7e:24:2d:c4:62:e0:25:19:43:bb:5b:5e:2f:f1:
                    3f:2a:0c:84:72:02:c2:1c:60:a3:d6:84:4d:bb:74:
                    60:3e:f2:59:93:c5:8c:6d:fd:f3:00:1a:e7:fb:ae:
                    97:db:61:8c:2d:b0:72:60:4e:83:09:e2:9c:ae:5a:
                    50:84:a9:01:da:2b:30:ab:8b:40:36:cf:b1:82:8b:
                    52:3f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL Client, S/MIME
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Authority Key Identifier: 
                keyid:96:B8:29:58:5D:04:30:FA:E1:3A:95:78:11:7F:0A:BA:C8:97:02:CC
                DirName:/CN=jsefler-f12-candlepin.usersys.redhat.com/C=US/L=Raleigh
                serial:DC:B4:1E:8F:C1:17:95:E6

            X509v3 Subject Key Identifier: 
                1A:B7:F9:6D:3E:5B:08:6F:28:AF:1D:9E:95:AE:B6:34:19:3F:6B:80
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DirName:/CN=testuser1
    Signature Algorithm: sha1WithRSAEncryption
        0e:4e:e6:c6:61:e0:1b:ad:ec:de:f1:a9:e9:82:6c:8b:5c:e1:
        bd:d1:35:40:b1:f2:5e:2e:5f:5e:8a:97:99:8f:6c:6a:4a:23:
        8f:c7:93:67:15:f4:8c:04:81:23:36:2c:2e:18:f2:9c:4d:eb:
        2d:54:ad:c9:89:d1:d0:e9:cf:16:7e:a0:2b:72:c5:d2:41:d8:
        3f:ea:58:72:f5:64:6d:00:30:c6:7b:d0:02:f4:1c:09:28:56:
        36:91:5e:3d:c7:86:f0:a3:b2:0a:40:92:27:fb:b5:c9:52:08:
        b9:0d:60:15:92:3f:9f:05:01:3c:de:39:1b:ba:77:24:be:d1:
        52:4a
[root@jsefler-rhel6-client01 ~]# 


MOVING TO VERIFIED
Comment 6 errata-xmlrpc 2011-05-19 09:41:51 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0611.html

Note You need to log in before you can comment on or make changes to this bug.