Description of problem: The entitlement certs can't be removed after unregistering via SAM webUI. Version-Release number of selected component (if applicable): subscription-manager-firstboot-1.0.17-1.el5 subscription-manager-1.0.17-1.el5 subscription-manager-gui-1.0.17-1.el5 python-rhsm-1.0.6-1.el5 candlepin-0.6.5-1.el6_2.noarch katello-candlepin-cert-key-pair-1.0-1.noarch How reproducible: 100% Steps to Reproduce: 1. register the host to sam server and consume one subscription #subscription-manager register #subscription-manager subscribe --pool=$poolid 2.check the entilement cert in the host #ls /etc/pki/entitlement 3441464648497984340-key.pem 3441464648497984340.pem 3.unregister the host via SAM webUI the host has been unregistered successfully. 4.check the identity of the host #subscription-manager identity Consumer f1971222-92bb-4ef2-80ac-467ecbbca407 has been deleted 5.refresh the data in the host #subscription-manager refresh Consumer f1971222-92bb-4ef2-80ac-467ecbbca407 has been deleted 6.check the entitlement cert in the host #ls /etc/pki/entitlement 3441464648497984340-key.pem 3441464648497984340.pem Actual results: The entitlement certs can't be removed after unregistering via SAM webUI. Expected results: For step6, there are no entitlement cert desplayed in the terminal. Additional info:
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
this sou *** This bug has been marked as a duplicate of bug 853876 ***
bug 853876 focus on whether re-registering with the --force option can be complished without error info. For this bug, the re-register behavior do complish.Howerver, the entitlment certs in the directory "/etc/pki/entitlement" can not be removed.
The bug fix for 853876 is the same bug fix as this, it just presents different in this scenario. commit b749cadd02ea7dc924d160cf9d161ac20b0821fd Author: Michael Stead <mstead> Date: Fri Sep 21 14:53:06 2012 -0300 853876: No need to check for GoneException when getting status All commands were checking the server version before executing. When we were registering with the --force command it would fail because the user didn't exist on the server and the client was raising the GoneException.
Testing Version... [root@jsefler-rhel59 ~]# subscription-manager version registered to: 0.7.16-1 server type: subscription management service subscription-manager: 1.0.23-1.el5 python-rhsm: 1.0.10-1.el5 [root@jsefler-rhel59 ~]# subscription-manager register --username=testuser1 --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin Password: The system has been registered with id: a4de228e-f4ce-47b6-be91-b22506123390 [root@jsefler-rhel59 ~]# subscription-manager list --avail | grep "Pool Id" | tail -3 Pool Id: 8a90f81d3a713d64013a72705b5652aa Pool Id: 8a90f81d3a713d64013a7270b97652bf Pool Id: 8a90f81d3a713d64013a738461997984 [root@jsefler-rhel59 ~]# subscription-manager subscribe --pool 8a90f81d3a713d64013a738461997984 --pool 8a90f81d3a713d64013a7270b97652bf --pool 8a90f81d3a713d64013a72705b5652aa Successfully consumed a subscription for: The "ultimate sla" service level subscription Successfully consumed a subscription for: Awesome OS for systems with sockets value=null Successfully consumed a subscription for: Awesome OS for systems with no sockets [root@jsefler-rhel59 ~]# ls -l /etc/pki/entitlement/ total 48 -rw------- 1 root root 1675 Oct 18 12:23 1769584877549043039-key.pem -rw-r--r-- 1 root root 1936 Oct 18 12:23 1769584877549043039.pem -rw------- 1 root root 1675 Oct 18 12:23 4343595000585551809-key.pem -rw-r--r-- 1 root root 2001 Oct 18 12:23 4343595000585551809.pem -rw------- 1 root root 1675 Oct 18 12:23 6264725626914672549-key.pem -rw-r--r-- 1 root root 1985 Oct 18 12:23 6264725626914672549.pem [root@jsefler-rhel59 ~]# curl --stderr /dev/null --insecure --user admin:*** --request DELETE https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/consumers/a4de228e-f4ce-47b6-be91-b22506123390 [root@jsefler-rhel59 ~]# subscription-manager identity Consumer a4de228e-f4ce-47b6-be91-b22506123390 has been deleted [root@jsefler-rhel59 ~]# ls -l /etc/pki/entitlement/ total 48 -rw------- 1 root root 1675 Oct 18 12:23 1769584877549043039-key.pem -rw-r--r-- 1 root root 1936 Oct 18 12:23 1769584877549043039.pem -rw------- 1 root root 1675 Oct 18 12:23 4343595000585551809-key.pem -rw-r--r-- 1 root root 2001 Oct 18 12:23 4343595000585551809.pem -rw------- 1 root root 1675 Oct 18 12:23 6264725626914672549-key.pem -rw-r--r-- 1 root root 1985 Oct 18 12:23 6264725626914672549.pem [root@jsefler-rhel59 ~]# subscription-manager refresh Consumer a4de228e-f4ce-47b6-be91-b22506123390 has been deleted [root@jsefler-rhel59 ~]# ls -l /etc/pki/entitlement/ total 48 -rw------- 1 root root 1675 Oct 18 12:23 1769584877549043039-key.pem -rw-r--r-- 1 root root 1936 Oct 18 12:23 1769584877549043039.pem -rw------- 1 root root 1675 Oct 18 12:23 4343595000585551809-key.pem -rw-r--r-- 1 root root 2001 Oct 18 12:23 4343595000585551809.pem -rw------- 1 root root 1675 Oct 18 12:23 6264725626914672549-key.pem -rw-r--r-- 1 root root 1985 Oct 18 12:23 6264725626914672549.pem I DO NOT SEE A CHANGE IN THE ORIGINAL COMMENT 0 BEHAVIOR. THE ALREADY EXISTING ENTITLEMENTS REMAIN ON THE SYSTEM DESPITE THE INFORMATION FROM THE SERVER THAT THE CURRENT CONSUMER HAS BEEN DELETED. IN MY OPINION, THIS IS THE CORRECT BEHAVIOR AND THIS BUG SHOULD BE CLOSED WONTFIX. SINCE THE SYSTEM HAS BEEN DELETED ON THE SERVER, THE ENTITLEMENTS FOR THIS CONSUMER WILL BE ADDED TO THE CERTIFICATE REVOCATION LIST WHICH IS UPDATED ONCE PER DAY (I THINK). THAT MEANS THIS CONSUMING SYSTEM WILL CONTINUE TO GET UPDATES USING THE ENTITLEMENTS STILL ON THE SYSTEM FOR ONE DAY LONGER THAN NORMAL. THIS ERRS IN FAVOR OF THE CONSUMER. IF THE DELETED CONSUMER MESSAGE WAS ERRONEOUSLY SENT BY THE SERVER OR ERRONEOUSLY INTERPRETED BY THE CONSUMER, THEN TAKING AWAY THE ENTITLEMENTS AS SUGGESTED IN THE EXPECTED RESULTS OF COMMENT 0 WOULD MAKE THE CONSUMER VERY ANGRY. NEEDINFO BEFORE I WILL CHANGE THIS BUG STATUS.
To achieve the desired removal of the entitlements after a consumer has been deleted server-side, the client system should simply wait for the next trigger of the rhsmcertd.certFrequency (default is 4 hours) or manually restart the rhsmcertd and wait 2 minutes as demonstrated in https://bugzilla.redhat.com/show_bug.cgi?id=852706#c5.
I suggest we either: * return the bug as a CLOSED WONTFIX * return as a dup of bug 852706 * tell the bug reporter to change the test scenario to wait for the next rhsmcertd.certFrequency trigger and mark this bug VERIFIED by https://bugzilla.redhat.com/show_bug.cgi?id=852706#c5
Agree with the last few previous comments, closing wontfix. This behaviour is as expected.