743667 – installed product cert is getting clobbered by an older cert during a yum install

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 743667 - installed product cert is getting clobbered by an older cert during a yum install

Summary: installed product cert is getting clobbered by an older cert during a yum ins...

Keywords:
Status:	CLOSED DUPLICATE of bug 919275
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	7.0
Assignee:	candlepin-bugs
QA Contact:	Entitlement Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	756082 rhsm-rhel70
TreeView+	depends on / blocked

Reported:	2011-10-05 17:02 UTC by John Sefler
Modified:	2013-10-18 16:18 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-18 16:18:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description John Sefler 2011-10-05 17:02:06 UTC

Description of problem:
I've provisioned a brand new rhel62 box using beaker and I register it to the production environment with qa account.  I subscribe to a subscription that provides content for rhel-6,rhel-6-server. and then I install a package.  The 69.pem product cert (version "6.2 Beta") that was originally installed during the provision is getting clobbered with the 69.pem product cert (version "6.1") from the subscribed repo.

Effectively the system's access to content does not change because both of the 69.pem product certs (clobberer and cloberee) contain the same tags "rhel-6,rhel-6-server" in OID 1.3.6.1.4.1.2312.9.1.69.4.  While I can rationalize that the yum product_id plugin is doing the right thing,  I can also argue that clobbering a newer installed product cert with an older product cert is a bad thing.  Please re-evaluate what the product-id plugin should be doing in this case.  I suspect that clobbering an older versioned product cert may be appropriate while clobbering a newer product cert is not.  Certainly if the OID value for 1.3.6.1.4.1.2312.9.1.<product_hash>.4 is different, then clobbering can have adverse affects to access content.

Version-Release number of selected component (if applicable):
subscription-manager-0.96.13-1.el6.x86_64

How reproducible:


Steps to Reproduce:
Beginning with a beaker provisioned RHEL62 nightly build...
[jsefler@jseflerT5400 ~]$ ssh -XYC root.eng.bos.redhat.com
The authenticity of host 'dell-pem905-01.rhts.eng.bos.redhat.com (10.16.66.75)' can't be established.
RSA key fingerprint is 64:92:cd:9b:a1:af:50:3a:16:be:45:7e:d7:fa:57:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dell-pem905-01.rhts.eng.bos.redhat.com,10.16.66.75' (RSA) to the list of known hosts.
root.eng.bos.redhat.com's password: 
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
                 This System is reserved by jsefler.

 To return this system early. You can run the command: return2beaker.sh
  Ensure you have your logs off the system before returning to Beaker

 To extend your reservation time. You can run the command:
  extendtesttime.sh
 This is an interactive script. You will be prompted for how many
  hours you would like to extend the reservation.
  Please use this command responsibly, Everyone uses these machines.

 You should verify the watchdog was updated succesfully after
  you extend your reservation.
  https://beaker.engineering.redhat.com/recipes/289035

 For ssh, kvm, serial and power control operations please look here:
  https://beaker.engineering.redhat.com/view/dell-pem905-01.rhts.eng.bos.redhat.com

      Beaker Test information:
                         HOSTNAME=dell-pem905-01.rhts.eng.bos.redhat.com
                            JOBID=139493
                         RECIPEID=289035
                    RESULT_SERVER=127.0.0.1:7094
                           DISTRO=RHEL6.2-20111005.n.0
                     ARCHITECTURE=x86_64
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
[root@dell-pem905-01 ~]# rpm -q subscription-manager
subscription-manager-0.96.13-1.el6.x86_64

[root@dell-pem905-01 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+

ProductName:        	Red Hat Enterprise Linux Server
Version:            	6.2 Beta                 
Arch:               	x86_64                   
Status:             	Not Subscribed           
Starts:             	                         
Expires:            	                         

[root@dell-pem905-01 ~]# cp /etc/pki/product/69.pem /tmp


^^^ NOTICE THAT 69.pem IS INSTALLED FOR VERSION 6.2 Beta AS EXPECTED.  I COPIED IT TO /tmp FOR SAFE KEEPING AND LATER COMPARISON


[root@dell-pem905-01 ~]# subscription-manager register --username qa
Password: 
The system has been registered with id: 8de4323d-cebd-4593-8edf-52adf2c41eb0 

[root@dell-pem905-01 ~]# subscription-manager list --avail
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+


ProductName:       	Red Hat Employee Subscription
ProductId:         	SYS0395                  
PoolId:            	8a85f9812ede00af012edf01c89f5cf9
Quantity:          	9965                     
Multi-Entitlement: 	No                       
Expires:           	10/07/2011               
MachineType:       	physical                 


ProductName:       	Red Hat Employee Subscription
ProductId:         	SYS0395                  
PoolId:            	8a85f98132d071210132d24bf5d21352
Quantity:          	25                       
Multi-Entitlement: 	No                       
Expires:           	01/01/2022               
MachineType:       	physical                 


ProductName:       	Red Hat Enterprise Linux Server for HPC Compute Node,
                        Self-support (8 sockets) (Up to 1 guest)
ProductId:         	RH0604852                
PoolId:            	8a85f98332b5d10c0132ca0b53942101
Quantity:          	99                       
Multi-Entitlement: 	No                       
Expires:           	01/01/2012               
MachineType:       	physical                 

[root@dell-pem905-01 ~]# subscription-manager subscribe --pool 8a85f9812ede00af012edf01c89f5cf9
Successfully subscribed the system to Pool 8a85f9812ede00af012edf01c89f5cf9

[root@dell-pem905-01 ~]# yum repolist
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
rhel-6-server-rpms                                       | 2.4 kB     00:00     
rhel-ha-for-rhel-6-server-rpms                           | 2.4 kB     00:00     
rhel-lb-for-rhel-6-server-rpms                           | 2.0 kB     00:00     
rhel-rs-for-rhel-6-server-rpms                           | 2.4 kB     00:00     
rhel-scalefs-for-rhel-6-server-rpms                      | 2.0 kB     00:00     
repo id                             repo name                             status
beaker-HighAvailability             beaker-HighAvailability                   50
beaker-LoadBalancer                 beaker-LoadBalancer                        2
beaker-ResilientStorage             beaker-ResilientStorage                   56
beaker-ScalableFileSystem           beaker-ScalableFileSystem                  7
beaker-Server                       beaker-Server                          3,524
beaker-debug                        beaker-debug                           1,651
beaker-harness                      beaker-harness                            35
beaker-optional-x86_64-debug        beaker-optional-x86_64-debug           1,185
beaker-optional-x86_64-os           beaker-optional-x86_64-os              2,638
beaker-tasks                        beaker-tasks                          11,722
rhel-6-server-rpms                  Red Hat Enterprise Linux 6 Server (RP  5,400
rhel-ha-for-rhel-6-server-rpms      Red Hat Enterprise Linux High Availab    100
rhel-lb-for-rhel-6-server-rpms      Red Hat Enterprise Linux Load Balance      2
rhel-rs-for-rhel-6-server-rpms      Red Hat Enterprise Linux Resilient St    115
rhel-scalefs-for-rhel-6-server-rpms Red Hat Enterprise Linux Scalable Fil      7
repolist: 26,494

[root@dell-pem905-01 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+

ProductName:        	Red Hat Enterprise Linux Server
Version:            	6.2 Beta                 
Arch:               	x86_64                   
Status:             	Subscribed               
Starts:             	10/08/2010               
Expires:            	10/07/2011               

^^^ WE STILL HAVE THE ORIGINAL 69.pem PRODUCT CERT INSTALLED

[root@dell-pem905-01 ~]# yum install --disablerepo=beaker* zsh
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
rhel-6-server-rpms                                       | 2.4 kB     00:00     
rhel-ha-for-rhel-6-server-rpms                           | 2.4 kB     00:00     
rhel-lb-for-rhel-6-server-rpms                           | 2.0 kB     00:00     
rhel-rs-for-rhel-6-server-rpms                           | 2.4 kB     00:00     
rhel-scalefs-for-rhel-6-server-rpms                      | 2.0 kB     00:00     
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package zsh.x86_64 0:4.3.10-4.1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package    Arch          Version               Repository                 Size
================================================================================
Installing:
 zsh        x86_64        4.3.10-4.1.el6        rhel-6-server-rpms        2.1 M

Transaction Summary
================================================================================
Install       1 Package(s)

Total download size: 2.1 M
Installed size: 2.1 M
Is this ok [y/N]: y
Downloading Packages:
zsh-4.3.10-4.1.el6.x86_64.rpm                            | 2.1 MB     00:00     
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
 Userid : Red Hat, Inc. (release key 2) <security>
 Package: redhat-release-server-6Server-6.2.0.2.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201110050206.x86_64/6.2)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Importing GPG key 0x2FA658E0:
 Userid : Red Hat, Inc. (auxiliary key) <security>
 Package: redhat-release-server-6Server-6.2.0.2.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201110050206.x86_64/6.2)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : zsh-4.3.10-4.1.el6.x86_64                                    1/1 
rhel-6-server-rpms/productid                             | 1.7 kB     00:00     
rhel-ha-for-rhel-6-server-rpms/productid                 | 1.7 kB     00:00     
rhel-lb-for-rhel-6-server-rpms/productid                 | 1.7 kB     00:00     
rhel-rs-for-rhel-6-server-rpms/productid                 | 1.7 kB     00:00     
rhel-scalefs-for-rhel-6-server-rpms/productid            | 1.7 kB     00:00     
Installed products updated.

Installed:
  zsh.x86_64 0:4.3.10-4.1.el6                                                   

Complete!

[root@dell-pem905-01 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+

ProductName:        	Red Hat Enterprise Linux 6 Server
Version:            	6.1                      
Arch:               	x86_64                   
Status:             	Subscribed               
Starts:             	10/08/2010               
Expires:            	10/07/2011               

^^^ BANG! WE NOW HAVE A DIFFERENT 69.pem PRODUCT CERT INSTALLED


[root@dell-pem905-01 ~]# diff /etc/pki/product/69.pem /tmp/69.pem | wc -l
44

^^ YUP - THESE 69.pem PRODUCT CERTS ARE DEFINITELY DIFFERENT

[root@dell-pem905-01 ~]# openssl x509 -text -in /etc/pki/product/69.pem | grep Validity -A2
        Validity
            Not Before: Apr 27 19:37:13 2011 GMT
            Not After : Apr 22 19:37:13 2031 GMT
[root@dell-pem905-01 ~]# openssl x509 -text -in /tmp/69.pem | grep Validity -A2        Validity
            Not Before: Jul 28 13:59:26 2011 GMT
            Not After : Jul 23 13:59:26 2031 GMT
[root@dell-pem905-01 ~]# 

^^^ THE ORIGINAL 69.pem PRODUCT CERT LAID DOWN DURING THE PROVISIONING OF THE SYSTEM IS NEWER

Comment 2 James Bowes 2011-10-07 12:44:55 UTC

From my quick check, the intention of the code seems to be to keep whichever version of the cert is already on the system, which is not happening here at all. This definitely needs work (and probably should take the newest version).

Comment 14 Bryan Kearney 2012-03-01 18:31:26 UTC

moving to 6.4

Comment 16 RHEL Program Management 2012-07-10 08:49:01 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 17 RHEL Program Management 2012-07-11 02:08:01 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 18 RHEL Program Management 2012-12-14 08:48:26 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 19 John Sefler 2013-06-20 13:55:26 UTC

sounds similar to bug 919275

Comment 22 John Sefler 2013-10-18 16:18:43 UTC

Closing this bug in favor of fixed bug 919275.

*** This bug has been marked as a duplicate of bug 919275 ***

Note You need to log in before you can comment on or make changes to this bug.