Bug 844069 - subscription-manager register with --force is failing when the current identity cert is bad
subscription-manager register with --force is failing when the current identi...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: subscription-manager (Show other bugs)
5.9
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Devan Goodwin
Entitlement Bugs
: Regression
Depends On:
Blocks: 771748
  Show dependency treegraph
 
Reported: 2012-07-28 11:22 EDT by John Sefler
Modified: 2013-01-07 22:58 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 22:58:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Sefler 2012-07-28 11:22:05 EDT
Description of problem:
The following scenario has regressed from rhel58/rhel63 behavior:
1. register
2. remember your consumerid
3. screw up your identity cert
4. register with the consumerid and --force
Currently getting stuck on this last step with an "Error loading certificate"

Version-Release number of selected component (if applicable):
[root@jsefler-rhel59 ~]# rpm -q subscription-manager python-rhsm
subscription-manager-1.0.11-1.git.3.b3c4a8b.el5
python-rhsm-1.0.4-1.git.6.19a55da.el5


How reproducible:


Steps to Reproduce:
[root@jsefler-rhel59 ~]# subscription-manager register --username testuser1 --password password --org admin
The system has been registered with id: 000d7504-b2c8-483b-a82c-82699c424a40 

[root@jsefler-rhel59 ~]# openssl x509 -noout -text -in /etc/pki/consumer/cert.pem > /tmp/stdout; mv -f /tmp/stdout /etc/pki/consumer/cert.pem

[root@jsefler-rhel59 ~]# subscription-manager register --username=testuser1 --password=password --consumerid=000d7504-b2c8-483b-a82c-82699c424a40 --force
Error loading certificate
^^^^^^^^^^^^^^^^^^^^^^^^^
EXPECTED THE --force OPTION TO BE A LITTLE MORE FORECFUL.
THIS SCENARIO SUCCESSUFULLY REGISTERED TO THE SPECIFIED CONSUMERID IN PAST RELEASES AND IS THEREFORE A REGRESSION.

HOWEVER, USING clean IS A SIMPLE WORKAROUND AND MAY IN FACT BE THE PREFERED SOLUTION.  NEED MORE OPINIONS ON THIS.


[root@jsefler-rhel59 ~]# subscription-manager clean
All local data removed
[root@jsefler-rhel59 ~]# subscription-manager register --username=testuser1 --password=password --consumerid=000d7504-b2c8-483b-a82c-82699c424a40 --force
The system has been registered with id: 000d7504-b2c8-483b-a82c-82699c424a40 
[root@jsefler-rhel59 ~]# 

^^^ THIS WORKAROUND WORKED EXACTLY AS EXPECTED.


  

Additional info:
[root@jsefler-rhel59 ~]# tail -f /var/log/rhsm/rhsm.log
2012-07-28 11:15:57,832 [INFO]  @connection.py:492 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/rhsm/ca/, insecure = False
2012-07-28 11:15:57,833 [INFO]  @connection.py:505 - Connection Built: host: jsefler-f14-candlepin.usersys.redhat.com, port: 8443, handler: /candlepin
2012-07-28 11:15:57,833 [DEBUG]  @profile.py:95 - Loading current RPM profile.
2012-07-28 11:15:58,070 [DEBUG]  @connection.py:317 - Loading CA PEM certificates from: /etc/rhsm/ca/
2012-07-28 11:15:58,071 [DEBUG]  @connection.py:299 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem'
2012-07-28 11:15:58,072 [DEBUG]  @connection.py:299 - Loading CA certificate: '/etc/rhsm/ca/jsefler-f14-candlepin.pem'
2012-07-28 11:15:58,072 [DEBUG]  @connection.py:299 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem'
2012-07-28 11:15:58,185 [DEBUG]  @managercli.py:397 - Versions: {'subscription manager': '1.0.11-1.git.3.b3c4a8b.el5', 'server-type': 'subscription management service', 'python-rhsm': '1.0.4-1.git.6.19a55da.el5', 'candlepin': 'Unknown'} 
2012-07-28 11:15:58,186 [ERROR]  @managercli.py:114 - exception caught in subscription-manager
2012-07-28 11:15:58,186 [ERROR]  @managercli.py:115 - Error loading certificate
Traceback (most recent call last):
  File "/usr/sbin/subscription-manager", line 78, in ?
    sys.exit(abs(main() or 0))
  File "/usr/sbin/subscription-manager", line 69, in main
    return managercli.CLI().main()
  File "/usr/share/rhsm/subscription_manager/managercli.py", line 1957, in main
    return cmd.main()
  File "/usr/share/rhsm/subscription_manager/managercli.py", line 401, in main
    return_code = self._do_command()
  File "/usr/share/rhsm/subscription_manager/managercli.py", line 871, in _do_command
    if ConsumerIdentity.existsAndValid():
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 364, in existsAndValid
    cls.read()
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 352, in read
    return ConsumerIdentity(key, cert)
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 376, in __init__
    self.x509 = create_from_pem(certstring)
  File "/usr/lib64/python2.4/site-packages/rhsm/certificate.py", line 64, in create_from_pem
    return _CertFactory().create_from_pem(pem)
  File "/usr/lib64/python2.4/site-packages/rhsm/certificate2.py", line 69, in create_from_pem
    return self._read_x509(_certificate.load(pem=pem), path)
  File "/usr/lib64/python2.4/site-packages/rhsm/certificate2.py", line 73, in _read_x509
    raise CertificateException("Error loading certificate")
CertificateException: Error loading certificate
Comment 1 RHEL Product and Program Management 2012-07-28 11:28:05 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Devan Goodwin 2012-08-01 15:27:53 EDT
Borderline scenario, but you're right, it worked better in 6.3 so we'll restore it.

Fixed in subscription-manager.git master: dfe3008b4b49b168e9387a3e4491621e31e423c4

Will appear in 1.0.12.
Comment 6 spandey 2012-08-23 12:25:02 EDT
verified using following rpm 



subscription-manager-gui-1.0.14-1.git.20.7e3f72a.el5
subscription-manager-migration-data-1.11.2.3-1.git.0.861f9ba.el5
subscription-manager-firstboot-1.0.14-1.git.20.7e3f72a.el5
subscription-manager-migration-1.0.14-1.git.20.7e3f72a.el5
subscription-manager-1.0.14-1.git.20.7e3f72a.el5





[root@localhost ~]# subscription-manager identity
Current identity is: 2924d660-988d-4f36-b62c-0836eb5fc0ae
name: localhost.localdomain
org name: Admin Owner
org id: 8ac141cc395432790139543296d000a5
[root@localhost ~]#  openssl x509 -noout -text -in /etc/pki/consumer/cert.pem > /tmp/stdout; mv -f /tmp/stdout /etc/pki/consumer/cert.pem
[root@localhost ~]# 
[root@localhost ~]# 
[root@localhost ~]# sub
sub2po                    subscription-manager      subscription-manager-gui
[root@localhost ~]# subscription-manager register --consumerid 2924d660-988d-4f36-b62c-0836eb5fc0ae --username testuser1 --password password --force
The system has been registered with id: 2924d660-988d-4f36-b62c-0836eb5fc0ae 

successfully registered using force option 

Working fine resolving defect  as verified
Comment 8 errata-xmlrpc 2013-01-07 22:58:03 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0033.html

Note You need to log in before you can comment on or make changes to this bug.