Hide Forgot
Created attachment 488443 [details] importing invalid certs Description of problem: When importing an invalid or broken certificate, subscription-manager throws a traceback (expected), but it goes ahead and installs the cert in the /etc/pki/entitlements directory anyway. This causes subscription manager to crash upon all subsequent start-ups. Version-Release number of selected component (if applicable): subscription-manager-gnome-0.95.5-1.git.26.ce6d87f.el6.x86_64 subscription-manager-0.95.5-1.git.26.ce6d87f.el6.x86_64 subscription-manager-firstboot-0.95.5-1.git.26.ce6d87f.el6.x86_64 python-rhsm-0.95.5-1.git.0.0bfdb97.el6.noarch Steps to Reproduce: 1. Install subscription-manager-gui 2. Obtain an invalid or broken x509 cert. (I used an identity cert from the web subscription manager in stage). 3. Using rhsm-gui, use the import cert tool and import this cert. 4. Watch rhsm throw a traceback. 5. Close the rhsm-gui. 6. Start the gui back up. Actual results: See attachment for logs/stack trace of broken imported cert. [root@jmolet-vm3 Desktop]# subscription-manager-gui (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: Unexpected element <property> inside <widget>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. (subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>. 'list' object has no attribute 'getStart' [root@jmolet-vm3 Desktop]# subscription-manager list --available 'list' object has no attribute 'getStart' Also, the cert is installed in /etc/pki/entitlements/ Expected results: The invalid cert is rejected from being installed and doesn't cause these problems. Additional info: This also breaks the cli tool.
Two phases to the fix, first don't choke on bad entitlement certs when running the app: python-rhsm master:260a305688981a9fce90db30620b2789972187f5 python-rhsm RHEL6: 59b23524a7c5b8287b98312b379a44cba9c73572 python-rhsm RHEL5.7: 44f10dfb565ecc7065c71c1e366238a0f3ce9986 Second check if a cert is valid before dropping it onto the filesystem: subscription-manager master: 259f019bddcf6a58105758415f652d0b3d3ed369 subscription-manager RHEL6: 259f019bddcf6a58105758415f652d0b3d3ed369 subscription-manager RHEL5.7: 6fe888f7e8f72eebd126f2a8350da3ad529e06b1
Failed to push to RHEL6 branch of Subscription Manager, new git hash is: fd5a9c6a5423cfb5b8c8ce33fd21024e3361c07d
Created attachment 490344 [details] gui fix 2011-04-06 13:04:31,532 [WARNING] bogus() @certificate.py:306 - No product information in certificate: 1130038221894632 2011-04-06 13:04:31,532 [ERROR] _import_button_clicked() @importsub.py:82 - Error parsing manually imported entitlement certificate: /root/Downloads/836cc0f7-7a60-4a8a-b26b-3d5b9768cfc3.pem 2011-04-06 13:04:31,532 [ERROR] _import_button_clicked() @importsub.py:83 - Invalid X509 entitlement certificate. Traceback (most recent call last): File "/usr/share/rhsm/gui/importsub.py", line 79, in _import_button_clicked raise Exception("Invalid X509 entitlement certificate.") Exception: Invalid X509 entitlement certificate. This is the expected behavior for importing an invalid cert. This bug has been VERIFIED. subscription-manager-gnome-0.95.6-1.git.2.58bb724.el6.x86_64 subscription-manager-0.95.6-1.git.2.58bb724.el6.x86_64 python-rhsm-0.95.6-1.git.0.b36d0a5.el6.noarch subscription-manager-firstboot-0.95.6-1.git.2.58bb724.el6.x86_64
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0611.html