Bug 852706 - System is not unregistered after being deleted from candlepin server
System is not unregistered after being deleted from candlepin server
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: subscription-manager (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: rc
: ---
Assigned To: Adrian Likins
Entitlement Bugs
: 853857 (view as bug list)
Depends On:
Blocks: 771748
  Show dependency treegraph
Reported: 2012-08-29 07:04 EDT by lzhuang
Modified: 2013-01-07 23:01 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When a consumer has been deleted on a candlepin server. Consequence: The client is left in an inconsistent state with old consumer and entitlement certificates that are no longer valid. Fix: Result: Now the rhsmcert daemon recognizes this inconsistent state, cleans the old entitlements, makes a backup of the old consumer certificate, and allows the client to register with --force.
Story Points: ---
Clone Of:
Last Closed: 2013-01-07 23:01:24 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 1 RHEL Product and Program Management 2012-08-29 08:07:41 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 2 William Poteat 2012-09-14 11:32:41 EDT
*** Bug 853857 has been marked as a duplicate of this bug. ***
Comment 3 Adrian Likins 2012-09-26 13:36:32 EDT
commit 476d17a29088e9cc9d6a5094bd2cd586f3f49c44
Author: Adrian Likins <alikins@redhat.com>
Date:   Wed Sep 5 11:40:07 2012 -0400

    Add test cases for certmgr.py (and make certlib testable)
    852706 needed tests cases, and there was almost
    no coverage of certmgr.py
    The various *Lib and *Action classes create a ActionLock()
    during at class parse time (ie, before the init runs) so
    we can't really mock out ActionLock. So change certlib
    to pass in it's own lock to it's invocation of CertLib.
    Note: Those ActionLock() invocations need to go away, or
    at least, lock should be a class attribute populated with
    a ActionLock(), at least that way we would have a reference to

commit 69be79cdb26a2a1a2b4ea792d27c1a851af9f2fb
Author: Adrian Likins <alikins@redhat.com>
Date:   Wed Sep 5 11:37:55 2012 -0400

    852706: Fix server side certs not being deleted client side
    On a candlepin side consumer cert deletion, we return a
    410/GoneException, which certmgr was catching and swallowing.
    Let that exception bubble up so we handle the GoneException
Comment 5 John Sefler 2012-10-18 14:34:55 EDT
Verifying Version...
[root@jsefler-rhel59 ~]# rpm -q subscription-manager python-rhsm

[root@jsefler-rhel59 ~]# subscription-manager register --username=testuser1 --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
The system has been registered with id: 37da6f5a-43ed-4940-9f07-fd86563ca009 
[root@jsefler-rhel59 ~]# subscription-manager list --avail | grep "Pool Id" | head -2
Pool Id:              	8a90f81d3a713d64013a7384365e7973
Pool Id:              	8a90f81d3a713d64013a713faa5704cc
[root@jsefler-rhel59 ~]# subscription-manager subscribe --pool 8a90f81d3a713d64013a7384365e7973 --pool 8a90f81d3a713d64013a713faa5704cc
Successfully consumed a subscription for: The "Ultimate SLA" service level subscription
Successfully consumed a subscription for: Shared File System
[root@jsefler-rhel59 ~]# subscription-manager identity
Current identity is: 37da6f5a-43ed-4940-9f07-fd86563ca009
name: jsefler-rhel59.usersys.redhat.com
org name: Admin Owner
org id: admin
[root@jsefler-rhel59 ~]# ls -l /etc/pki/entitlement/
total 32
-rw------- 1 root root 1679 Oct 18 13:58 5867571267558982210-key.pem
-rw-r--r-- 1 root root 1944 Oct 18 13:58 5867571267558982210.pem
-rw------- 1 root root 1679 Oct 18 13:58 7098429472854166482-key.pem
-rw-r--r-- 1 root root 1956 Oct 18 13:58 7098429472854166482.pem
[root@jsefler-rhel59 ~]#  curl --stderr /dev/null --insecure --user admin:*** --request DELETE https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/consumers/37da6f5a-43ed-4940-9f07-fd86563ca009
[root@jsefler-rhel59 ~]# subscription-manager identity
Consumer 37da6f5a-43ed-4940-9f07-fd86563ca009 has been deleted
[root@jsefler-rhel59 ~]# service rhsmcertd restart
Stopping rhsmcertd...                                      [  OK  ]
Starting rhsmcertd...                                      [  OK  ]
[root@jsefler-rhel59 ~]# subscription-manager identity
Consumer 37da6f5a-43ed-4940-9f07-fd86563ca009 has been deleted
[root@jsefler-rhel59 ~]# 
[root@jsefler-rhel59 ~]# 

IMPORTANT: Notice that immediately after we restarted rhsmcertd above, subscription-manager identity continues to report that the consumer has been deleted.  Due to a change in bug 818978, we must now wait 2 minutes for rhsmcertd to trigger the first cert check.  Waiting 2 minutes...

[root@jsefler-rhel59 ~]# 
[root@jsefler-rhel59 ~]# 
[root@jsefler-rhel59 ~]# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.
[root@jsefler-rhel59 ~]# ls /etc/pki/consumer
ls: /etc/pki/consumer: No such file or directory
[root@jsefler-rhel59 ~]# ls /etc/pki/consumer.old/
cert.pem  key.pem
[root@jsefler-rhel59 ~]# ls /etc/pki/entitlement/
[root@jsefler-rhel59 ~]# 

VERIFIED: After restarting rhsmcertd and waiting 2 minutes, rhsmcertd handles a GoneException and then moves /etc/pki/consumer to /etc/pki/consumer.old/ and the /etc/pki/entitlement/ is emptied.
Comment 7 errata-xmlrpc 2013-01-07 23:01:24 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.