Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 691788

Summary: subscription manager installs broken certs
Product: Red Hat Enterprise Linux 6 Reporter: J.C. Molet <jmolet>
Component: subscription-managerAssignee: Devan Goodwin <dgoodwin>
Status: CLOSED ERRATA QA Contact: J.C. Molet <jmolet>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: dgoodwin, spandey
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 702075 (view as bug list) Environment:
Last Closed: 2011-05-19 13:40:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 568421, 702075    
Attachments:
Description Flags
importing invalid certs
none
gui fix none

Description J.C. Molet 2011-03-29 13:28:03 UTC 
Created attachment 488443 [details]
importing invalid certs

Description of problem:
When importing an invalid or broken certificate, subscription-manager throws a traceback (expected), but it goes ahead and installs the cert in the /etc/pki/entitlements directory anyway. This causes subscription manager to crash upon all subsequent start-ups.

Version-Release number of selected component (if applicable):
subscription-manager-gnome-0.95.5-1.git.26.ce6d87f.el6.x86_64
subscription-manager-0.95.5-1.git.26.ce6d87f.el6.x86_64
subscription-manager-firstboot-0.95.5-1.git.26.ce6d87f.el6.x86_64
python-rhsm-0.95.5-1.git.0.0bfdb97.el6.noarch


Steps to Reproduce:
1.  Install subscription-manager-gui
2.  Obtain an invalid or broken x509 cert.  (I used an identity cert from the web subscription manager in stage).
3.  Using rhsm-gui, use the import cert tool and import this cert.
4.  Watch rhsm throw a traceback.
5.  Close the rhsm-gui.
6.  Start the gui back up.
  
Actual results:
See attachment for logs/stack trace of broken imported cert.

[root@jmolet-vm3 Desktop]# subscription-manager-gui 

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.

(subscription-manager-gui:19706): libglade-WARNING **: Unexpected element <property> inside <widget>.

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.

(subscription-manager-gui:19706): libglade-WARNING **: unknown attribute `swapped' for <signal>.
'list' object has no attribute 'getStart'
[root@jmolet-vm3 Desktop]# subscription-manager list --available
'list' object has no attribute 'getStart'

Also, the cert is installed in /etc/pki/entitlements/

Expected results:
The invalid cert is rejected from being installed and doesn't cause these problems.

Additional info:
This also breaks the cli tool.
Comment 1 Devan Goodwin 2011-03-31 15:42:28 UTC 
Two phases to the fix, first don't choke on bad entitlement certs when running the app:

python-rhsm master:260a305688981a9fce90db30620b2789972187f5
python-rhsm RHEL6: 59b23524a7c5b8287b98312b379a44cba9c73572
python-rhsm RHEL5.7: 44f10dfb565ecc7065c71c1e366238a0f3ce9986

Second check if a cert is valid before dropping it onto the filesystem:

subscription-manager master:  259f019bddcf6a58105758415f652d0b3d3ed369
subscription-manager RHEL6: 259f019bddcf6a58105758415f652d0b3d3ed369
subscription-manager RHEL5.7: 6fe888f7e8f72eebd126f2a8350da3ad529e06b1
Comment 4 Devan Goodwin 2011-04-06 15:30:28 UTC 
Failed to push to RHEL6 branch of Subscription Manager, new git hash is: fd5a9c6a5423cfb5b8c8ce33fd21024e3361c07d
Comment 5 J.C. Molet 2011-04-06 17:06:43 UTC 
Created attachment 490344 [details]
gui fix

2011-04-06 13:04:31,532 [WARNING] bogus() @certificate.py:306 - No product information in certificate: 1130038221894632
2011-04-06 13:04:31,532 [ERROR] _import_button_clicked() @importsub.py:82 - Error parsing manually imported entitlement certificate: /root/Downloads/836cc0f7-7a60-4a8a-b26b-3d5b9768cfc3.pem
2011-04-06 13:04:31,532 [ERROR] _import_button_clicked() @importsub.py:83 - Invalid X509 entitlement certificate.
Traceback (most recent call last):
  File "/usr/share/rhsm/gui/importsub.py", line 79, in _import_button_clicked
    raise Exception("Invalid X509 entitlement certificate.")
Exception: Invalid X509 entitlement certificate.


This is the expected behavior for importing an invalid cert.  This bug has been VERIFIED.



subscription-manager-gnome-0.95.6-1.git.2.58bb724.el6.x86_64
subscription-manager-0.95.6-1.git.2.58bb724.el6.x86_64
python-rhsm-0.95.6-1.git.0.b36d0a5.el6.noarch
subscription-manager-firstboot-0.95.6-1.git.2.58bb724.el6.x86_64
Comment 6 errata-xmlrpc 2011-05-19 13:40:46 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0611.html