712980 – Import Certificate neglects to also import the corresponding key.pem

Bug 712980 - Import Certificate neglects to also import the corresponding key.pem

Summary: Import Certificate neglects to also import the corresponding key.pem

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Bryan Kearney
QA Contact:	John Sefler
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	rhsm-rhel62
TreeView+	depends on / blocked

Reported:	2011-06-13 19:33 UTC by John Sefler
Modified:	2011-12-06 17:15 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	712978
Environment:
Last Closed:	2011-12-06 17:15:15 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Entitlement Cert downloaded from rhsm-web tooling (WITH THE CERTIFICATE MANUALLY REMOVED) (1.64 KB, application/octet-stream) 2011-07-26 18:38 UTC, John Sefler	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	712978	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Product Errata	RHBA-2011:1695	0	normal	SHIPPED_LIVE	subscription-manager bug fix and enhancement update	2011-12-06 01:23:29 UTC

Internal Links: 712978

Description John Sefler 2011-06-13 19:33:47 UTC

+++ This bug was initially created as a clone of Bug #712978 +++

Description of problem:
In order for a client to be able to access subscription yum content, the entitlement cert and its corresponding key are needed. For example:

# ls /etc/pki/entitlement/
5245218597493174884-key.pem  5245218597493174884.pem

Currently, subscription-manager-gui has an "Import Certificate" function that will import a entitlement cert that was downloaded from the rhsm-web app (and SAM) , but there is no clean way to also import the key file.

After discussions with tsmart and ggainey, one alternative could be that rhsm-web (and SAM) provide both the entitlement cert AND the corresponding key in the same downloaded file.  Then subscription-manager-gui can still provide the same single file import workflow and if it finds both certificates in the same imported file, it can split them apart and lay them down in /etc/pki/entitlement as <hash>.pem and <hash>-key.pem


Version-Release number of selected component (if applicable):
This affects RHEL57, RHEL61
RHEL57 subscription-manager-0.95.5.21-1.el5
RHEL61 subscription-manager-0.95.14-1.el6



How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 3 Michael Stead 2011-07-18 20:18:31 UTC

This has been addressed by commit 158de0a80e0f2b62d63834d6751c9cf6489630a1 in the master branch.

Comment 7 John Sefler 2011-07-26 19:15:23 UTC

Verifying Version...
[root@jsefler-onprem-62server entitlement]# rpm -q subscription-manager-gnome
subscription-manager-gnome-0.96.4-1.git.63.7bb4765.el6.x86_64

Using the certificates in comments 4, 5, and 6, I am able to perform the following tests:


[root@jsefler-onprem-62server ~]# subscription-manager clean
All local data removed
[root@jsefler-onprem-62server ~]# ls /etc/pki/entitlement/
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED NO CERTS

Case 1: Use the subscription-manager gui to Import Certificate 70317698734240.pem from attachment 515342 [details].

[root@jsefler-onprem-62server ~]# grep -H -- --- /etc/pki/entitlement/*
/etc/pki/entitlement/70317698734240-key.pem:-----BEGIN RSA PRIVATE KEY-----
/etc/pki/entitlement/70317698734240-key.pem:-----END RSA PRIVATE KEY-----
/etc/pki/entitlement/70317698734240.pem:-----BEGIN CERTIFICATE-----
/etc/pki/entitlement/70317698734240.pem:-----END CERTIFICATE-----
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED THE IMPORT SUCCESSFULLY SPLIT THE CERT INTO A SEPARATE CERT AND KEY FILE WITH THE SAME SUFFIX 70317698734240

[root@jsefler-onprem-62server ~]# rm -rf /etc/pki/entitlement/

Case 2: Use the subscription-manager gui to Import Certificate 70317698734240_CERT-ONLY.pem from attachment 515343 [details]

[root@jsefler-onprem-62server ~]# grep -H -- --- /etc/pki/entitlement/*
/etc/pki/entitlement/70317698734240_CERT-ONLY.pem:-----BEGIN CERTIFICATE-----
/etc/pki/entitlement/70317698734240_CERT-ONLY.pem:-----END CERTIFICATE-----
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED THAT THE CERT WAS SUCCESSFULLY IMPORTED, AND BECAUSE THERE WAS NO KEY IN THE FILE THERE WAS NO NEED TO CREATE A SEPARATE KEY.PEM.  THE MISSING KEY WAS SIMPLY SKIPPED.

[root@jsefler-onprem-62server ~]# rm -rf /etc/pki/entitlement/

Case 3: Use the subscription-manager gui to Import Certificate 70317698734240_KEY-ONLY.pem from attachment 515344 [details]

[root@jsefler-onprem-62server ~]# ls /etc/pki/entitlement/
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED THAT THE IMPORT IS BLOCKED IN THE GUI WITH AN ERROR DIALOG THAT STATES "70317698734240_KEY-ONLY.pem is not a valid certificate file. Please upload a valid certificate." MOREOVER, NO KEY IS IMPORTED.
 

Variants also tested:
duplicate import of 70317698734240.pem from attachment 515342 [details]:
 result - no change in certs because the original was already imported
import of 70317698734240.pem and 70317698734240_CERT-ONLY.pem
 result - two entitlements to the same product subscription.  That's fine and correct.
Unsubscribe of imported certificates
 result - entitlement certs and keys are removed. (see bug 723363)


Moving to VERIFIED

Comment 8 errata-xmlrpc 2011-12-06 17:15:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1695.html

Note You need to log in before you can comment on or make changes to this bug.