624757 – unable to register to hosted candlepin1 w/ secure mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 624757 - unable to register to hosted candlepin1 w/ secure mode

Summary: unable to register to hosted candlepin1 w/ secure mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Bryan Kearney
QA Contact:	wes hayutin
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	568421
TreeView+	depends on / blocked

Reported:	2010-08-17 16:41 UTC by wes hayutin
Modified:	2011-05-19 13:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 13:42:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2011:0611	0	normal	SHIPPED_LIVE	new package: subscription-manager	2011-05-18 17:56:21 UTC

Description wes hayutin 2010-08-17 16:41:35 UTC

**local certs on rhsm client

[root@client02-rhel6-beta2 candlepin]# ll
total 16
-rw-r--r--. 1 root root 1017 Aug 17 12:31 candlepin-ca.crt
-rw-r--r--. 1 root root  891 Aug 17 12:31 candlepin-ca.key
-rw-r--r--. 1 root root    7 Aug 17 12:31 candlepin-ca-password.txt
-rw-r--r--. 1 root root 1017 Aug 17 12:31 candlepin-upstream-ca.crt
[root@client02-rhel6-beta2 candlepin]# md5sum candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-ca.crt
[root@client02-rhel6-beta2 candlepin]# md5sum candlepin-upstream-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-upstream-ca.crt


**rhsm conf

# Flag to enable Unsupported entitlement pools in GUI
# change this value to 1 to enable this option
showIncompatiblePools = 0
#candlepin_ca_file=/etc/pki/candlepin/candlepin-ca.crt
candlepin_ca_file=/etc/pki/candlepin/candlepin-upstream-ca.crt

**certs on candlepin1 server

&&[root@candlepin1 certs]# md5sum /etc/candlepin/certs/candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  /etc/candlepin/certs/candlepin-ca.crt
[root@candlepin1 certs]# md5sum /etc/candlepin/certs/candlepin-upstream-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  /etc/candlepin/certs/candlepin-upstream-ca.crt
[root@candlepin1 certs]# 

**[root@client02-rhel6-beta2 src]# ./subscription-manager-cli register --username=xeops --pass=redhat 
certificate verify failed
[root@client02-rhel6-beta2 src]# 

** changed local rhsm conf
# change this value to 1 to enable this option
showIncompatiblePools = 0
candlepin_ca_file=/etc/pki/candlepin/candlepin-ca.crt
#candlepin_ca_file=/etc/pki/candlepin/candlepin-upstream-ca.crt

[root@client02-rhel6-beta2 src]# ./subscription-manager-cli register --username=xeops --pass=redhat 
certificate verify failed


Trace in rhsm log
   self.connect()
  File "/usr/lib/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 181, in connect
    ret = self.connect_ssl()
  File "/usr/lib/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 174, in connect_ssl
    return m2.ssl_connect(self.ssl, self._timeout)
SSLError: certificate verify failed



I'm thinking this should work.. it was working..

rhsm @ commit d54ab44d2acc62e97eff351a4a1dfa5ea148aee7

Comment 1 Ajay Kumar Nadathur Sreenivasan 2010-09-01 17:15:50 UTC

Not reproducible. 
 I believe the server was not restarted after the certificates were changed.

Comment 2 John Sefler 2010-09-08 16:53:54 UTC

Verifying ....


On the IT candlepin server:
[root@candlepin1 certs]# hostname
candlepin1.devlab.phx1.redhat.com
[root@candlepin1 certs]# pwd
/etc/candlepin/certs
[root@candlepin1 certs]# ls
candlepin-ca.crt  candlepin-ca-password.txt
candlepin-ca.key  candlepin-upstream-ca.crt
[root@candlepin1 certs]# md5sum candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-ca.crt


On my client:
[root@jsefler-rhel6-consumer01 ~]# rpm -q subscription-manager
subscription-manager-0.75-1.git.29.c3b1d88.fc12.i386

[root@jsefler-rhel6-consumer01 ~]# mkdir /tmp/certs
[root@jsefler-rhel6-consumer01 ~]# cd /tmp/certs
[root@jsefler-rhel6-consumer01 certs]# scp root.phx1.redhat.com:/etc/candlepin/certs/candlepin* .
The authenticity of host 'candlepin1.devlab.phx1.redhat.com (10.7.12.17)' can't be established.
RSA key fingerprint is 7d:93:22:a8:48:d2:31:13:f1:41:48:6c:a8:44:40:41.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'candlepin1.devlab.phx1.redhat.com,10.7.12.17' (RSA) to the list of known hosts.
root.phx1.redhat.com's password: 
candlepin-ca.crt                                                                                                           100% 1017     1.0KB/s   00:00    
candlepin-ca.key                                                                                                           100%  891     0.9KB/s   00:00    
candlepin-ca-password.txt                                                                                                  100%    7     0.0KB/s   00:00    
candlepin-upstream-ca.crt                                                                                                  100% 1017     1.0KB/s   00:00    
[root@jsefler-rhel6-consumer01 certs]# md5sum candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-ca.crt

[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep hostname
hostname=candlepin1.devlab.phx1.redhat.com
[root@jsefler-rhel6-consumer01 certs]# vi /etc/rhsm/rhsm.conf   (FLIP THE FLAG FOR INSECURE TO 0)
[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep insecure
# Flip this flag to 1 to Enable insecure mode.
insecure=0
[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep candlepin_ca_file
candlepin_ca_file = None
[root@jsefler-rhel6-consumer01 certs]# subscription-manager-cli register --username=xeops --password=redhat
certificate verify failed

FAILED (as expected)

[root@jsefler-rhel6-consumer01 certs]# vi /etc/rhsm/rhsm.conf   (FLIP THE VALUE FOR CANDLEPIN_CA_FILE TO /tmp/certs/candlepin-ca.crt)
[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep candlepin_ca_file
candlepin_ca_file = /tmp/certs/candlepin-ca.crt
[root@jsefler-rhel6-consumer01 certs]# subscription-manager-cli register --username=xeops --password=redhat
ee2c1013-c872-45eb-8cdd-3f39b3005ac2 xeops

SUCCESS

[root@jsefler-rhel6-consumer01 ~]# tail -f /var/log/rhsm/rhsm.log
2010-09-08 12:46:36,150 [INFO] __init__() @connection.py:136 - Connection Established: host: candlepin1.devlab.phx1.redhat.com, port: 443, handler: /candlepin
2010-09-08 12:46:36,151 [INFO] __init__() @connection.py:137 - Connection using cert_file: /etc/pki/consumer/cert.pem, key_file: /etc/pki/consumer/key.pem, ca_file: /tmp/certs/candlepin-ca.crt insecure_mode: False


SUCCESS: We registered in secure mode with the ca_file: /tmp/certs/candlepin-ca.crt
Moving to VERIFIED

Comment 4 errata-xmlrpc 2011-05-19 13:42:06 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0611.html

Note You need to log in before you can comment on or make changes to this bug.