Bug 859811 - Remove the entitlement certs failed after unregistering via SAM webUI
Remove the entitlement certs failed after unregistering via SAM webUI
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: subscription-manager (Show other bugs)
5.9
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: candlepin-bugs
Entitlement Bugs
: Reopened
Depends On:
Blocks: 771748
  Show dependency treegraph
 
Reported: 2012-09-24 02:01 EDT by ndong
Modified: 2013-03-13 02:31 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When a consumer has been deleted on a candlepin server. Consequence: The client is left in an inconsistent state with old consumer and entitlement certificates that are no longer valid. Fix: Result: Now the rhsmcert daemon recognizes this inconsistent state, cleans the old entitlements, makes a backup of the old consumer certificate, and allows the client to register with --force.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-23 09:28:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description ndong 2012-09-24 02:01:50 EDT
Description of problem:
The entitlement certs can't be removed after unregistering via SAM webUI.

Version-Release number of selected component (if applicable):
subscription-manager-firstboot-1.0.17-1.el5
subscription-manager-1.0.17-1.el5
subscription-manager-gui-1.0.17-1.el5
python-rhsm-1.0.6-1.el5
candlepin-0.6.5-1.el6_2.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch

How reproducible:
100%

Steps to Reproduce:
1. register the host to sam server and consume one subscription
#subscription-manager register
#subscription-manager subscribe --pool=$poolid

2.check the entilement cert in the host
#ls /etc/pki/entitlement
3441464648497984340-key.pem
3441464648497984340.pem

3.unregister the host via SAM webUI
the host has been unregistered successfully.

4.check the identity of the host
#subscription-manager identity
Consumer f1971222-92bb-4ef2-80ac-467ecbbca407 has been deleted

5.refresh the data in the host
#subscription-manager refresh
Consumer f1971222-92bb-4ef2-80ac-467ecbbca407 has been deleted

6.check the entitlement cert in the host
#ls /etc/pki/entitlement
3441464648497984340-key.pem
3441464648497984340.pem      
  
Actual results:
The entitlement certs can't be removed after unregistering via SAM webUI.

Expected results:
For step6, there are no entitlement cert desplayed in the terminal.

Additional info:
Comment 1 RHEL Product and Program Management 2012-09-24 02:06:42 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 2 Adrian Likins 2012-09-26 13:39:14 EDT
this sou

*** This bug has been marked as a duplicate of bug 853876 ***
Comment 3 ndong 2012-09-27 23:21:42 EDT
bug 853876 focus on whether re-registering with the --force option can be complished without error info. For this bug, the re-register behavior do complish.Howerver, the entitlment certs in the directory "/etc/pki/entitlement" can not be removed.
Comment 5 Adrian Likins 2012-10-03 17:51:35 EDT
The bug fix for 853876 is the same bug fix as this,
it just presents different in this scenario.


commit b749cadd02ea7dc924d160cf9d161ac20b0821fd
Author: Michael Stead <mstead@redhat.com>
Date:   Fri Sep 21 14:53:06 2012 -0300

    853876: No need to check for GoneException when getting status
    
    All commands were checking the server version before executing.
    When we were registering with the --force command it would fail
    because the user didn't exist on the server and the client was
    raising the GoneException.
Comment 7 John Sefler 2012-10-18 13:31:27 EDT
Testing Version...
[root@jsefler-rhel59 ~]# subscription-manager version
registered to: 0.7.16-1
server type: subscription management service
subscription-manager: 1.0.23-1.el5
python-rhsm: 1.0.10-1.el5



[root@jsefler-rhel59 ~]# subscription-manager register --username=testuser1 --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Password: 
The system has been registered with id: a4de228e-f4ce-47b6-be91-b22506123390 

[root@jsefler-rhel59 ~]# subscription-manager list --avail | grep "Pool Id" | tail -3
Pool Id:              	8a90f81d3a713d64013a72705b5652aa
Pool Id:              	8a90f81d3a713d64013a7270b97652bf
Pool Id:              	8a90f81d3a713d64013a738461997984

[root@jsefler-rhel59 ~]# subscription-manager subscribe --pool 8a90f81d3a713d64013a738461997984 --pool 8a90f81d3a713d64013a7270b97652bf --pool 8a90f81d3a713d64013a72705b5652aa
Successfully consumed a subscription for: The "ultimate sla" service level subscription
Successfully consumed a subscription for: Awesome OS for systems with sockets value=null
Successfully consumed a subscription for: Awesome OS for systems with no sockets

[root@jsefler-rhel59 ~]# ls -l /etc/pki/entitlement/
total 48
-rw------- 1 root root 1675 Oct 18 12:23 1769584877549043039-key.pem
-rw-r--r-- 1 root root 1936 Oct 18 12:23 1769584877549043039.pem
-rw------- 1 root root 1675 Oct 18 12:23 4343595000585551809-key.pem
-rw-r--r-- 1 root root 2001 Oct 18 12:23 4343595000585551809.pem
-rw------- 1 root root 1675 Oct 18 12:23 6264725626914672549-key.pem
-rw-r--r-- 1 root root 1985 Oct 18 12:23 6264725626914672549.pem

[root@jsefler-rhel59 ~]#  curl --stderr /dev/null --insecure --user admin:*** --request DELETE https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/consumers/a4de228e-f4ce-47b6-be91-b22506123390

[root@jsefler-rhel59 ~]# subscription-manager identity
Consumer a4de228e-f4ce-47b6-be91-b22506123390 has been deleted

[root@jsefler-rhel59 ~]# ls -l /etc/pki/entitlement/
total 48
-rw------- 1 root root 1675 Oct 18 12:23 1769584877549043039-key.pem
-rw-r--r-- 1 root root 1936 Oct 18 12:23 1769584877549043039.pem
-rw------- 1 root root 1675 Oct 18 12:23 4343595000585551809-key.pem
-rw-r--r-- 1 root root 2001 Oct 18 12:23 4343595000585551809.pem
-rw------- 1 root root 1675 Oct 18 12:23 6264725626914672549-key.pem
-rw-r--r-- 1 root root 1985 Oct 18 12:23 6264725626914672549.pem

[root@jsefler-rhel59 ~]# subscription-manager refresh
Consumer a4de228e-f4ce-47b6-be91-b22506123390 has been deleted

[root@jsefler-rhel59 ~]# ls -l /etc/pki/entitlement/
total 48
-rw------- 1 root root 1675 Oct 18 12:23 1769584877549043039-key.pem
-rw-r--r-- 1 root root 1936 Oct 18 12:23 1769584877549043039.pem
-rw------- 1 root root 1675 Oct 18 12:23 4343595000585551809-key.pem
-rw-r--r-- 1 root root 2001 Oct 18 12:23 4343595000585551809.pem
-rw------- 1 root root 1675 Oct 18 12:23 6264725626914672549-key.pem
-rw-r--r-- 1 root root 1985 Oct 18 12:23 6264725626914672549.pem


I DO NOT SEE A CHANGE IN THE ORIGINAL COMMENT 0 BEHAVIOR. THE ALREADY EXISTING ENTITLEMENTS REMAIN ON THE SYSTEM DESPITE THE INFORMATION FROM THE SERVER THAT THE CURRENT CONSUMER HAS BEEN DELETED.

IN MY OPINION, THIS IS THE CORRECT BEHAVIOR AND THIS BUG SHOULD BE CLOSED WONTFIX.  SINCE THE SYSTEM HAS BEEN DELETED ON THE SERVER, THE ENTITLEMENTS FOR THIS CONSUMER WILL BE ADDED TO THE CERTIFICATE REVOCATION LIST WHICH IS UPDATED ONCE PER DAY (I THINK).  THAT MEANS THIS CONSUMING SYSTEM WILL CONTINUE TO GET UPDATES USING THE ENTITLEMENTS STILL ON THE SYSTEM FOR ONE DAY LONGER THAN NORMAL.  THIS ERRS IN FAVOR OF THE CONSUMER.  IF THE DELETED CONSUMER MESSAGE WAS ERRONEOUSLY SENT BY THE SERVER OR ERRONEOUSLY INTERPRETED BY THE CONSUMER, THEN TAKING AWAY THE ENTITLEMENTS AS SUGGESTED IN THE EXPECTED RESULTS OF COMMENT 0 WOULD MAKE THE CONSUMER VERY ANGRY.

NEEDINFO BEFORE I WILL CHANGE THIS BUG STATUS.
Comment 8 John Sefler 2012-10-18 14:53:01 EDT
To achieve the desired removal of the entitlements after a consumer has been deleted server-side, the client system should simply wait for the next trigger of the rhsmcertd.certFrequency (default is 4 hours) or manually restart the rhsmcertd and wait 2 minutes as demonstrated in https://bugzilla.redhat.com/show_bug.cgi?id=852706#c5.
Comment 9 John Sefler 2012-10-18 15:00:11 EDT
I suggest we either:
  * return the bug as a CLOSED WONTFIX
  * return as a dup of bug 852706
  * tell the bug reporter to change the test scenario to wait for the next rhsmcertd.certFrequency trigger and mark this bug VERIFIED by https://bugzilla.redhat.com/show_bug.cgi?id=852706#c5
Comment 10 Adrian Likins 2012-10-23 09:28:05 EDT
Agree with the last few previous comments, closing wontfix. This behaviour is as expected.

Note You need to log in before you can comment on or make changes to this bug.