Bug 624757 - unable to register to hosted candlepin1 w/ secure mode
Summary: unable to register to hosted candlepin1 w/ secure mode
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager (Show other bugs)
(Show other bugs)
Version: 6.1
Hardware: All Linux
Target Milestone: rc
: ---
Assignee: Bryan Kearney
QA Contact: wes hayutin
Depends On:
Blocks: 568421
TreeView+ depends on / blocked
Reported: 2010-08-17 16:41 UTC by wes hayutin
Modified: 2011-05-19 13:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-05-19 13:42:06 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:0611 normal SHIPPED_LIVE new package: subscription-manager 2011-05-18 17:56:21 UTC

Description wes hayutin 2010-08-17 16:41:35 UTC
**local certs on rhsm client

[root@client02-rhel6-beta2 candlepin]# ll
total 16
-rw-r--r--. 1 root root 1017 Aug 17 12:31 candlepin-ca.crt
-rw-r--r--. 1 root root  891 Aug 17 12:31 candlepin-ca.key
-rw-r--r--. 1 root root    7 Aug 17 12:31 candlepin-ca-password.txt
-rw-r--r--. 1 root root 1017 Aug 17 12:31 candlepin-upstream-ca.crt
[root@client02-rhel6-beta2 candlepin]# md5sum candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-ca.crt
[root@client02-rhel6-beta2 candlepin]# md5sum candlepin-upstream-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-upstream-ca.crt

**rhsm conf

# Flag to enable Unsupported entitlement pools in GUI
# change this value to 1 to enable this option
showIncompatiblePools = 0

**certs on candlepin1 server

&&[root@candlepin1 certs]# md5sum /etc/candlepin/certs/candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  /etc/candlepin/certs/candlepin-ca.crt
[root@candlepin1 certs]# md5sum /etc/candlepin/certs/candlepin-upstream-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  /etc/candlepin/certs/candlepin-upstream-ca.crt
[root@candlepin1 certs]# 

**[root@client02-rhel6-beta2 src]# ./subscription-manager-cli register --username=xeops --pass=redhat 
certificate verify failed
[root@client02-rhel6-beta2 src]# 

** changed local rhsm conf
# change this value to 1 to enable this option
showIncompatiblePools = 0

[root@client02-rhel6-beta2 src]# ./subscription-manager-cli register --username=xeops --pass=redhat 
certificate verify failed

Trace in rhsm log
  File "/usr/lib/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 181, in connect
    ret = self.connect_ssl()
  File "/usr/lib/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 174, in connect_ssl
    return m2.ssl_connect(self.ssl, self._timeout)
SSLError: certificate verify failed

I'm thinking this should work.. it was working..

rhsm @ commit d54ab44d2acc62e97eff351a4a1dfa5ea148aee7

Comment 1 Ajay Kumar Nadathur Sreenivasan 2010-09-01 17:15:50 UTC
Not reproducible. 
 I believe the server was not restarted after the certificates were changed.

Comment 2 John Sefler 2010-09-08 16:53:54 UTC
Verifying ....

On the IT candlepin server:
[root@candlepin1 certs]# hostname
[root@candlepin1 certs]# pwd
[root@candlepin1 certs]# ls
candlepin-ca.crt  candlepin-ca-password.txt
candlepin-ca.key  candlepin-upstream-ca.crt
[root@candlepin1 certs]# md5sum candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-ca.crt

On my client:
[root@jsefler-rhel6-consumer01 ~]# rpm -q subscription-manager

[root@jsefler-rhel6-consumer01 ~]# mkdir /tmp/certs
[root@jsefler-rhel6-consumer01 ~]# cd /tmp/certs
[root@jsefler-rhel6-consumer01 certs]# scp root@candlepin1.devlab.phx1.redhat.com:/etc/candlepin/certs/candlepin* .
The authenticity of host 'candlepin1.devlab.phx1.redhat.com (' can't be established.
RSA key fingerprint is 7d:93:22:a8:48:d2:31:13:f1:41:48:6c:a8:44:40:41.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'candlepin1.devlab.phx1.redhat.com,' (RSA) to the list of known hosts.
root@candlepin1.devlab.phx1.redhat.com's password: 
candlepin-ca.crt                                                                                                           100% 1017     1.0KB/s   00:00    
candlepin-ca.key                                                                                                           100%  891     0.9KB/s   00:00    
candlepin-ca-password.txt                                                                                                  100%    7     0.0KB/s   00:00    
candlepin-upstream-ca.crt                                                                                                  100% 1017     1.0KB/s   00:00    
[root@jsefler-rhel6-consumer01 certs]# md5sum candlepin-ca.crt
de5ef50453a48a53524aff9bb9af2fcd  candlepin-ca.crt

[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep hostname
[root@jsefler-rhel6-consumer01 certs]# vi /etc/rhsm/rhsm.conf   (FLIP THE FLAG FOR INSECURE TO 0)
[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep insecure
# Flip this flag to 1 to Enable insecure mode.
[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep candlepin_ca_file
candlepin_ca_file = None
[root@jsefler-rhel6-consumer01 certs]# subscription-manager-cli register --username=xeops --password=redhat
certificate verify failed

FAILED (as expected)

[root@jsefler-rhel6-consumer01 certs]# vi /etc/rhsm/rhsm.conf   (FLIP THE VALUE FOR CANDLEPIN_CA_FILE TO /tmp/certs/candlepin-ca.crt)
[root@jsefler-rhel6-consumer01 certs]# cat /etc/rhsm/rhsm.conf | grep candlepin_ca_file
candlepin_ca_file = /tmp/certs/candlepin-ca.crt
[root@jsefler-rhel6-consumer01 certs]# subscription-manager-cli register --username=xeops --password=redhat
ee2c1013-c872-45eb-8cdd-3f39b3005ac2 xeops


[root@jsefler-rhel6-consumer01 ~]# tail -f /var/log/rhsm/rhsm.log
2010-09-08 12:46:36,150 [INFO] __init__() @connection.py:136 - Connection Established: host: candlepin1.devlab.phx1.redhat.com, port: 443, handler: /candlepin
2010-09-08 12:46:36,151 [INFO] __init__() @connection.py:137 - Connection using cert_file: /etc/pki/consumer/cert.pem, key_file: /etc/pki/consumer/key.pem, ca_file: /tmp/certs/candlepin-ca.crt insecure_mode: False

SUCCESS: We registered in secure mode with the ca_file: /tmp/certs/candlepin-ca.crt
Moving to VERIFIED

Comment 4 errata-xmlrpc 2011-05-19 13:42:06 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.