Bug 712980 - Import Certificate neglects to also import the corresponding key.pem
Import Certificate neglects to also import the corresponding key.pem
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager (Show other bugs)
6.1
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Bryan Kearney
John Sefler
: ZStream
Depends On:
Blocks: rhsm-rhel62
  Show dependency treegraph
 
Reported: 2011-06-13 15:33 EDT by John Sefler
Modified: 2011-12-06 12:15 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 712978
Environment:
Last Closed: 2011-12-06 12:15:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Entitlement Cert downloaded from rhsm-web tooling (WITH THE CERTIFICATE MANUALLY REMOVED) (1.64 KB, application/octet-stream)
2011-07-26 14:38 EDT, John Sefler
no flags Details

  None (edit)
Description John Sefler 2011-06-13 15:33:47 EDT
+++ This bug was initially created as a clone of Bug #712978 +++

Description of problem:
In order for a client to be able to access subscription yum content, the entitlement cert and its corresponding key are needed. For example:

# ls /etc/pki/entitlement/
5245218597493174884-key.pem  5245218597493174884.pem

Currently, subscription-manager-gui has an "Import Certificate" function that will import a entitlement cert that was downloaded from the rhsm-web app (and SAM) , but there is no clean way to also import the key file.

After discussions with tsmart and ggainey, one alternative could be that rhsm-web (and SAM) provide both the entitlement cert AND the corresponding key in the same downloaded file.  Then subscription-manager-gui can still provide the same single file import workflow and if it finds both certificates in the same imported file, it can split them apart and lay them down in /etc/pki/entitlement as <hash>.pem and <hash>-key.pem


Version-Release number of selected component (if applicable):
This affects RHEL57, RHEL61
RHEL57 subscription-manager-0.95.5.21-1.el5
RHEL61 subscription-manager-0.95.14-1.el6



How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 3 Michael Stead 2011-07-18 16:18:31 EDT
This has been addressed by commit 158de0a80e0f2b62d63834d6751c9cf6489630a1 in the master branch.
Comment 7 John Sefler 2011-07-26 15:15:23 EDT
Verifying Version...
[root@jsefler-onprem-62server entitlement]# rpm -q subscription-manager-gnome
subscription-manager-gnome-0.96.4-1.git.63.7bb4765.el6.x86_64

Using the certificates in comments 4, 5, and 6, I am able to perform the following tests:


[root@jsefler-onprem-62server ~]# subscription-manager clean
All local data removed
[root@jsefler-onprem-62server ~]# ls /etc/pki/entitlement/
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED NO CERTS

Case 1: Use the subscription-manager gui to Import Certificate 70317698734240.pem from attachment 515342 [details].

[root@jsefler-onprem-62server ~]# grep -H -- --- /etc/pki/entitlement/*
/etc/pki/entitlement/70317698734240-key.pem:-----BEGIN RSA PRIVATE KEY-----
/etc/pki/entitlement/70317698734240-key.pem:-----END RSA PRIVATE KEY-----
/etc/pki/entitlement/70317698734240.pem:-----BEGIN CERTIFICATE-----
/etc/pki/entitlement/70317698734240.pem:-----END CERTIFICATE-----
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED THE IMPORT SUCCESSFULLY SPLIT THE CERT INTO A SEPARATE CERT AND KEY FILE WITH THE SAME SUFFIX 70317698734240

[root@jsefler-onprem-62server ~]# rm -rf /etc/pki/entitlement/

Case 2: Use the subscription-manager gui to Import Certificate 70317698734240_CERT-ONLY.pem from attachment 515343 [details]

[root@jsefler-onprem-62server ~]# grep -H -- --- /etc/pki/entitlement/*
/etc/pki/entitlement/70317698734240_CERT-ONLY.pem:-----BEGIN CERTIFICATE-----
/etc/pki/entitlement/70317698734240_CERT-ONLY.pem:-----END CERTIFICATE-----
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED THAT THE CERT WAS SUCCESSFULLY IMPORTED, AND BECAUSE THERE WAS NO KEY IN THE FILE THERE WAS NO NEED TO CREATE A SEPARATE KEY.PEM.  THE MISSING KEY WAS SIMPLY SKIPPED.

[root@jsefler-onprem-62server ~]# rm -rf /etc/pki/entitlement/

Case 3: Use the subscription-manager gui to Import Certificate 70317698734240_KEY-ONLY.pem from attachment 515344 [details]

[root@jsefler-onprem-62server ~]# ls /etc/pki/entitlement/
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED THAT THE IMPORT IS BLOCKED IN THE GUI WITH AN ERROR DIALOG THAT STATES "70317698734240_KEY-ONLY.pem is not a valid certificate file. Please upload a valid certificate." MOREOVER, NO KEY IS IMPORTED.
 

Variants also tested:
duplicate import of 70317698734240.pem from attachment 515342 [details]:
 result - no change in certs because the original was already imported
import of 70317698734240.pem and 70317698734240_CERT-ONLY.pem
 result - two entitlements to the same product subscription.  That's fine and correct.
Unsubscribe of imported certificates
 result - entitlement certs and keys are removed. (see bug 723363)


Moving to VERIFIED
Comment 8 errata-xmlrpc 2011-12-06 12:15:15 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1695.html

Note You need to log in before you can comment on or make changes to this bug.