Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 712980

Summary: Import Certificate neglects to also import the corresponding key.pem
Product: Red Hat Enterprise Linux 6 Reporter: John Sefler <jsefler>
Component: subscription-managerAssignee: Bryan Kearney <bkearney>
Status: CLOSED ERRATA QA Contact: John Sefler <jsefler>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1CC: ggainey, mstead, spandey, tsmart
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 712978 Environment:
Last Closed: 2011-12-06 17:15:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 682238    
Attachments:
Description Flags
Entitlement Cert downloaded from rhsm-web tooling (WITH THE CERTIFICATE MANUALLY REMOVED) none

Description John Sefler 2011-06-13 19:33:47 UTC 
+++ This bug was initially created as a clone of Bug #712978 +++

Description of problem:
In order for a client to be able to access subscription yum content, the entitlement cert and its corresponding key are needed. For example:

# ls /etc/pki/entitlement/
5245218597493174884-key.pem  5245218597493174884.pem

Currently, subscription-manager-gui has an "Import Certificate" function that will import a entitlement cert that was downloaded from the rhsm-web app (and SAM) , but there is no clean way to also import the key file.

After discussions with tsmart and ggainey, one alternative could be that rhsm-web (and SAM) provide both the entitlement cert AND the corresponding key in the same downloaded file.  Then subscription-manager-gui can still provide the same single file import workflow and if it finds both certificates in the same imported file, it can split them apart and lay them down in /etc/pki/entitlement as <hash>.pem and <hash>-key.pem


Version-Release number of selected component (if applicable):
This affects RHEL57, RHEL61
RHEL57 subscription-manager-0.95.5.21-1.el5
RHEL61 subscription-manager-0.95.14-1.el6



How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 3 Michael Stead 2011-07-18 20:18:31 UTC 
This has been addressed by commit 158de0a80e0f2b62d63834d6751c9cf6489630a1 in the master branch.
Comment 7 John Sefler 2011-07-26 19:15:23 UTC 
Verifying Version...
[root@jsefler-onprem-62server entitlement]# rpm -q subscription-manager-gnome
subscription-manager-gnome-0.96.4-1.git.63.7bb4765.el6.x86_64

Using the certificates in comments 4, 5, and 6, I am able to perform the following tests:


[root@jsefler-onprem-62server ~]# subscription-manager clean
All local data removed
[root@jsefler-onprem-62server ~]# ls /etc/pki/entitlement/
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED NO CERTS

Case 1: Use the subscription-manager gui to Import Certificate 70317698734240.pem from attachment 515342 [details].

[root@jsefler-onprem-62server ~]# grep -H -- --- /etc/pki/entitlement/*
/etc/pki/entitlement/70317698734240-key.pem:-----BEGIN RSA PRIVATE KEY-----
/etc/pki/entitlement/70317698734240-key.pem:-----END RSA PRIVATE KEY-----
/etc/pki/entitlement/70317698734240.pem:-----BEGIN CERTIFICATE-----
/etc/pki/entitlement/70317698734240.pem:-----END CERTIFICATE-----
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED THE IMPORT SUCCESSFULLY SPLIT THE CERT INTO A SEPARATE CERT AND KEY FILE WITH THE SAME SUFFIX 70317698734240

[root@jsefler-onprem-62server ~]# rm -rf /etc/pki/entitlement/

Case 2: Use the subscription-manager gui to Import Certificate 70317698734240_CERT-ONLY.pem from attachment 515343 [details]

[root@jsefler-onprem-62server ~]# grep -H -- --- /etc/pki/entitlement/*
/etc/pki/entitlement/70317698734240_CERT-ONLY.pem:-----BEGIN CERTIFICATE-----
/etc/pki/entitlement/70317698734240_CERT-ONLY.pem:-----END CERTIFICATE-----
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED THAT THE CERT WAS SUCCESSFULLY IMPORTED, AND BECAUSE THERE WAS NO KEY IN THE FILE THERE WAS NO NEED TO CREATE A SEPARATE KEY.PEM.  THE MISSING KEY WAS SIMPLY SKIPPED.

[root@jsefler-onprem-62server ~]# rm -rf /etc/pki/entitlement/

Case 3: Use the subscription-manager gui to Import Certificate 70317698734240_KEY-ONLY.pem from attachment 515344 [details]

[root@jsefler-onprem-62server ~]# ls /etc/pki/entitlement/
[root@jsefler-onprem-62server ~]# 
^^^ VERIFIED THAT THE IMPORT IS BLOCKED IN THE GUI WITH AN ERROR DIALOG THAT STATES "70317698734240_KEY-ONLY.pem is not a valid certificate file. Please upload a valid certificate." MOREOVER, NO KEY IS IMPORTED.
 

Variants also tested:
duplicate import of 70317698734240.pem from attachment 515342 [details]:
 result - no change in certs because the original was already imported
import of 70317698734240.pem and 70317698734240_CERT-ONLY.pem
 result - two entitlements to the same product subscription.  That's fine and correct.
Unsubscribe of imported certificates
 result - entitlement certs and keys are removed. (see bug 723363)


Moving to VERIFIED
Comment 8 errata-xmlrpc 2011-12-06 17:15:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1695.html