Hide Forgot
Description of problem: When RHN is unavailable to customers it should not tell them that their SSL certificate is invalid....pretty bad user experience. On Friday, March 11, 2011, RHN was down for a period of time. I kept receiving error pop-up messages on my desktop that I had a bad SSL cert... kind of confusing considering I hadn't change certs or done any recent admin on my computer. The error messages gave no indication that RHN being down could be the problem which would have saved a lot of time on my part: [Fri Mar 11 12:32:53 2011] up2date logging into up2date server [Fri Mar 11 12:32:53 2011] up2date The SSL certificate failed verification. [Fri Mar 11 13:32:40 2011] up2date logging into up2date server [Fri Mar 11 13:32:40 2011] up2date The SSL certificate failed verification. [Fri Mar 11 14:15:07 2011] up2date logging into up2date server [Fri Mar 11 14:15:07 2011] up2date The SSL certificate failed verification. [Fri Mar 11 14:15:53 2011] rhn_register logging into up2date server [Fri Mar 11 14:15:54 2011] rhn_register The SSL certificate failed verification. [Fri Mar 11 14:15:54 2011] rhn_register Traceback (most recent call last): File "/usr/sbin/rhn_register", line 75, in <module> app.run() File "/usr/share/rhn/up2date_client/rhncli.py", line 74, in run sys.exit(self.main() or 0) File "/usr/sbin/rhn_register", line 61, in main if not up2dateAuth.getLoginInfo(): File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 219, in getLoginInfo login() File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 186, in login li = server.up2date.login(systemId) File "/usr/share/rhn/up2date_client/rhnserver.py", line 64, in __call__ raise up2dateErrors.SSLCertificateVerifyFailedError() up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The SSL certificate failed verification. [Fri Mar 11 14:16:32 2011] rhn_register logging into up2date server [Fri Mar 11 14:16:32 2011] rhn_register The SSL certificate failed verification. [Fri Mar 11 14:16:32 2011] rhn_register Traceback (most recent call last): File "/usr/sbin/rhn_register", line 75, in <module> app.run() File "/usr/share/rhn/up2date_client/rhncli.py", line 74, in run Version-Release number of selected component (if applicable): rhn-client-tools-1.0.0-39.el6.noarch How reproducible: 100% Steps to Reproduce: 1. yum update when RHN is down 2.
The traceback shown in the initial comment says the (server's) SSL certificate failed verification. There can be many reasons for which the validation would fail: temporary indisposition of RHN (incorrectly configured http server for example). If RHN (or RHN Satellite) would be really down, the error shown by client would be different: we wouldn't even be able to connect to RHN, never mind any SSL validation. In situations like this, the SSL validation error is being propagated to rhn-client-tools (and friends) from underlying libraries (OpenSSL in this case) and we can do nothing but display it. Given the above, I'm closing this report w/ notabug.
RHN was *really* unavailable... for a long, long time... I want to say 8 hours, but perhaps it was shorter than that. I could not get updates or connect to it. Please reconsider this and think about what this looks like to a moderately sophisticated user like myself, and then consider it from the perspective someone who has no understanding of all the lower level stuff you describe. Getting an error message that says your certificate has failed verification after it tries to log in, when it's worked for the past year, would lead me (maybe not you) to believe that my certificate was no longer valid, not that the service I've subscribed to and paid for that is usually always available (because it's Red Hat) has been unavailable for HOURS.
Fix for SSLCertificateVerifyFailedError exception so that it wouldn't print a misleading message pointing the user to a CA certificate, calling it a SSL certificate and stating that it failed validation: spacewalk.git master: 0dad9b5bd5081388d52ef43533f2afa59ea76344 satellite.git CLIENT-RHEL-6: c69e361a98059b608f8eed28468f48989aee30c4
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: A bug in rhn-client-tools code. Consequence: Misleading traceback message, mistakenly calling CA certificate a SSL certificate in case the server's SSL certificate verification failed. Fix: Fix landed in relevant exception message. Result: Correct traceback message in the problematic situations.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,7 +1 @@ -Cause: A bug in rhn-client-tools code. +When rhn_register fails to verify the server's SSL certificate, it terminates with a traceback. Previously, this traceback contained a misleading exception message which treated a CA certificate as an SSL certificate. The relevant exception message has now been rephrased to make sure such a traceback does not contain misleading information.- -Consequence: Misleading traceback message, mistakenly calling CA certificate a SSL certificate in case the server's SSL certificate verification failed. - -Fix: Fix landed in relevant exception message. - -Result: Correct traceback message in the problematic situations.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1664.html