Bug 712409 - subscription-manager putting incorrect data in for sslclientkey in repo file
Summary: subscription-manager putting incorrect data in for sslclientkey in repo file
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager
Version: 6.1
Hardware: x86_64
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Bryan Kearney
QA Contact: John Sefler
URL:
Whiteboard:
Depends On: 711133
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-10 13:43 UTC by RHEL Program Management
Modified: 2011-06-27 06:54 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-27 06:54:59 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0902 0 normal SHIPPED_LIVE subscription-manager bug fix update 2011-06-27 06:54:46 UTC

Description RHEL Program Management 2011-06-10 13:43:05 UTC 
This bug has been copied from bug #711133 and has been proposed
to be backported to 6.1 z-stream (EUS).
Comment 3 Adrian Likins 2011-06-10 19:30:16 UTC 
commit 16e55156a49d5fdd16570fc3e7ac4baffd2ed071
Author: Adrian Likins <alikins>
Date:   Thu Jun 9 11:47:40 2011 -0400

    712409: new fix for old style to new style key format migrations
    
    If we see an old style key, go ahead and save it as the new format,
    instead of marking it invalid and waiting for CertLib.update to
    update it.
    
    This fixes an issue where the subscription-manager yum plugin would
    not update the keys, since it was never running CertLib.update
Comment 5 John Sefler 2011-06-22 15:39:20 UTC 
Complete verification scenarios can be found in the comments of bug 711133
For the sake of this bug, we'll re-verify the following scenario:

When the user has subscribed to multiple subscriptions using subscription-manager-0.95.11-1 and has somehow (probably using RHN Classic) upgraded to subscription-manager-0.95.17-1. Let's make sure that ALL of the "old style" entitlement certs get converted to the "new style" cert/key pairs upon calling yum...


[root@jsefler-stage-6server ~]# rpm -q subscription-manager python-rhsm
subscription-manager-0.95.11-1.el6.x86_64
python-rhsm-0.95.6-1.el6.noarch
[root@jsefler-stage-6server ~]# subscription-manager register --username=qa
Password: 
1b519e74-b4b0-47c5-935a-3aae52fb0572 jsefler-stage-6server.usersys.redhat.com
[root@jsefler-stage-6server ~]# subscription-manager list --avail | grep PoolId
PoolId:            	8a85f9812ede00af012edf01c8965ceb
PoolId:            	8a85f9812ede00af012edf01c89f5cf9
PoolId:            	8a85f9812ede00af012edf01c8a65d04
PoolId:            	8a85f981302cbaf2013046b66d9c761a
PoolId:            	8a85f981302cbaf2013046b7cf077694
PoolId:            	8a85f981302cbaf2013046bb01bb7699
PoolId:            	8a85f981302cbaf20130475bf7f01895
PoolId:            	8a85f981302cbaf20130475bf8231897
PoolId:            	8a85f981302cbaf201304761614a1b76
PoolId:            	8a85f981302cbaf201304b4df59206fe
PoolId:            	8a85f981302cbaf201304b589d620720
PoolId:            	8a85f981302cbaf201304b7440e1073f
PoolId:            	8a85f981302cbaf201304b7a341c0767
[root@jsefler-stage-6server ~]# subscription-manager subscribe --pool=8a85f9812ede00af012edf01c8965ceb --pool=8a85f9812ede00af012edf01c89f5cf9 --pool=8a85f9812ede00af012edf01c8a65d04 --pool=8a85f981302cbaf2013046b66d9c761a --pool=8a85f981302cbaf2013046b7cf077694 --pool=8a85f981302cbaf2013046bb01bb7699 --pool=8a85f981302cbaf20130475bf7f01895 --pool=8a85f981302cbaf20130475bf8231897 --pool=8a85f981302cbaf201304761614a1b76 --pool=8a85f981302cbaf201304b4df59206fe --pool=8a85f981302cbaf201304b589d620720 --pool=8a85f981302cbaf201304b7440e1073f --pool=8a85f981302cbaf201304b7a341c0767
[root@jsefler-stage-6server ~]# 
[root@jsefler-stage-6server ~]# ls --format=single-column  /etc/pki/entitlement/
1241079981535352465.pem
159855522449657142.pem
2909026179699230628.pem
4187660796414535459.pem
4310560702008139452.pem
4838187844051615345.pem
5097713717014519419.pem
5733497207611388068.pem
6518723518978988438.pem
6603356720528647346.pem
6966989714059895224.pem
7752657598634995728.pem
8484072274178155381.pem
key.pem
[root@jsefler-stage-6server ~]# 


^^^^ NOTICE THE "old style" certs with a single key.pem
Now for testing purposes, I'll circumvent an RHN yum update by manually installing the newest python-rhsm and the subscription-manager package attached to this errata...


[root@jsefler-stage-6server ~]# yum localinstall --nogpgcheck /tmp/subscription-manager-0.95.17-1.el6_1.x86_64.rpm /tmp/python-rhsm-0.95.14-1.el6_1.noarch.rpm 
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
Setting up Local Package Process
Examining /tmp/subscription-manager-0.95.17-1.el6_1.x86_64.rpm: subscription-manager-0.95.17-1.el6_1.x86_64
Marking /tmp/subscription-manager-0.95.17-1.el6_1.x86_64.rpm as an update to subscription-manager-0.95.11-1.el6.x86_64
rhel-6-server-rpms                                                                                                          | 2.1 kB     00:00     
rhel-ha-for-rhel-6-server-rpms                                                                                              | 2.2 kB     00:00     
rhel-lb-for-rhel-6-server-rpms                                                                                              | 2.4 kB     00:00     
rhel-rs-for-rhel-6-server-rpms                                                                                              | 2.2 kB     00:00     
rhel-scalefs-for-rhel-6-server-rpms                                                                                         | 2.4 kB     00:00     
Examining /tmp/python-rhsm-0.95.14-1.el6_1.noarch.rpm: python-rhsm-0.95.14-1.el6_1.noarch
Marking /tmp/python-rhsm-0.95.14-1.el6_1.noarch.rpm as an update to python-rhsm-0.95.6-1.el6.noarch
Resolving Dependencies
--> Running transaction check
---> Package python-rhsm.noarch 0:0.95.6-1.el6 will be updated
---> Package python-rhsm.noarch 0:0.95.14-1.el6_1 will be an update
---> Package subscription-manager.x86_64 0:0.95.11-1.el6 will be updated
---> Package subscription-manager.x86_64 0:0.95.17-1.el6_1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================
 Package                          Arch               Version                        Repository                                                Size
===================================================================================================================================================
Updating:
 python-rhsm                      noarch             0.95.14-1.el6_1                /python-rhsm-0.95.14-1.el6_1.noarch                      109 k
 subscription-manager             x86_64             0.95.17-1.el6_1                /subscription-manager-0.95.17-1.el6_1.x86_64             1.2 M

Transaction Summary
===================================================================================================================================================
Upgrade       2 Package(s)

Total size: 1.3 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : python-rhsm-0.95.14-1.el6_1.noarch                                                                                              1/4 
  Updating   : subscription-manager-0.95.17-1.el6_1.x86_64                                                                                     2/4 
  Cleanup    : subscription-manager-0.95.11-1.el6.x86_64                                                                                       3/4 
  Cleanup    : python-rhsm-0.95.6-1.el6.noarch                                                                                                 4/4 
rhel-6-server-rpms/productid                                                                                                | 1.7 kB     00:00     
duration: 264(ms)
Installed products updated.

Updated:
  python-rhsm.noarch 0:0.95.14-1.el6_1                                subscription-manager.x86_64 0:0.95.17-1.el6_1                               

Complete!
[root@jsefler-stage-6server ~]# 
[root@jsefler-stage-6server ~]# ls --format=single-column  /etc/pki/entitlement/1241079981535352465.pem
159855522449657142.pem
2909026179699230628.pem
4187660796414535459.pem
4310560702008139452.pem
4838187844051615345.pem
5097713717014519419.pem
5733497207611388068.pem
6518723518978988438.pem
6603356720528647346.pem
6966989714059895224.pem
7752657598634995728.pem
8484072274178155381.pem
key.pem
[root@jsefler-stage-6server ~]# 

^^^ Still showing the "old style" certs

[root@jsefler-stage-6server ~]# yum repolist -q
[root@jsefler-stage-6server ~]# ls --format=single-column  /etc/pki/entitlement/
1241079981535352465-key.pem
1241079981535352465.pem
159855522449657142-key.pem
159855522449657142.pem
2909026179699230628-key.pem
2909026179699230628.pem
4187660796414535459-key.pem
4187660796414535459.pem
4310560702008139452-key.pem
4310560702008139452.pem
4838187844051615345-key.pem
4838187844051615345.pem
5097713717014519419-key.pem
5097713717014519419.pem
5733497207611388068-key.pem
5733497207611388068.pem
6518723518978988438-key.pem
6518723518978988438.pem
6603356720528647346-key.pem
6603356720528647346.pem
6966989714059895224-key.pem
6966989714059895224.pem
7752657598634995728-key.pem
7752657598634995728.pem
8484072274178155381-key.pem
8484072274178155381.pem
key.pem
[root@jsefler-stage-6server ~]#

^^^ Now after a yum transaction, the "new style" entitlements include a key.pem per entitlement.pem.


[root@jsefler-stage-6server ~]# yum repolist
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
rhel-6-server-rpms                                                                                                          | 2.1 kB     00:00     
rhel-ha-for-rhel-6-server-rpms                                                                                              | 2.2 kB     00:00     
rhel-lb-for-rhel-6-server-rpms                                                                                              | 2.4 kB     00:00     
rhel-rs-for-rhel-6-server-rpms                                                                                              | 2.2 kB     00:00     
rhel-scalefs-for-rhel-6-server-rpms                                                                                         | 2.4 kB     00:00     
repo id                                             repo name                                                                                status
rhel-6-server-rpms                                  Red Hat Enterprise Linux 6 Server (RPMs)                                                 5,047
rhel-ha-for-rhel-6-server-rpms                      Red Hat Enterprise Linux High Availability (for RHEL 6 Server) (RPMs)                       87
rhel-lb-for-rhel-6-server-rpms                      Red Hat Enterprise Linux Load Balancer (for RHEL 6 Server) (RPMs)                            2
rhel-rs-for-rhel-6-server-rpms                      Red Hat Enterprise Linux Resilient Storage (for RHEL 6 Server) (RPMs)                      100
rhel-scalefs-for-rhel-6-server-rpms                 Red Hat Enterprise Linux Scalable File System (for RHEL 6 Server) (RPMs)                     7
repolist: 5,243


^^^ AND, we do not encounter a yum "[Errno 14] problem with the local client certificate"

moving to VERIFIED
Comment 6 errata-xmlrpc 2011-06-27 06:54:59 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0902.html
Note You need to log in before you can comment on or make changes to this bug.