Bug 865590 - cannot unsubscribe from an imported certV3 entitlement
cannot unsubscribe from an imported certV3 entitlement
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: subscription-manager (Show other bugs)
5.9
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Devan Goodwin
IDM QE LIST
:
Depends On:
Blocks: 771748
  Show dependency treegraph
 
Reported: 2012-10-11 16:43 EDT by John Sefler
Modified: 2013-01-07 23:04 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 23:04:20 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0033 normal SHIPPED_LIVE subscription-manager bug fix and enhancement update 2013-01-08 03:38:27 EST

  None (edit)
Description John Sefler 2012-10-11 16:43:55 EDT
Description of problem:
While the client is unregistered, it should be able to import a certV3 certificate and then unsubscribe from it too.  The unsubscribe is failing.

Version-Release number of selected component (if applicable):
[root@jsefler-rhel59 ~]# rpm -q subscription-manager python-rhsm
subscription-manager-1.0.22-1.el5
python-rhsm-1.0.10-1.el5


How reproducible:


Steps to Reproduce:
[root@jsefler-rhel59 ~]# subscription-manager unregister
This system is currently not registered.
[root@jsefler-rhel59 ~]# subscription-manager import --certificate /tmp/certV3WithKeyForImport.pem 
Successfully imported certificate certV3WithKeyForImport.pem
[root@jsefler-rhel59 ~]# subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+

Subscription Name:    	Awesome OS for x86_64
Provides:             	Awesome OS for x86_64 Bits
SKU:                  	awesomeos-x86_64
Contract:             	66
Account:              	12331131231
Serial Number:        	8772024906544050094
Active:               	True
Quantity Used:        	2
Service Level:        	
Service Type:         	
Starts:               	10/09/2012
Ends:                 	10/09/2013

[root@jsefler-rhel59 ~]# subscription-manager unsubscribe --serial 8772024906544050094
                          <============== BANG! FAILS HERE
[root@jsefler-rhel59 ~]# echo $?
255
[root@jsefler-rhel59 ~]# subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+

Subscription Name:    	Awesome OS for x86_64
Provides:             	Awesome OS for x86_64 Bits
SKU:                  	awesomeos-x86_64
Contract:             	66
Account:              	12331131231
Serial Number:        	8772024906544050094
Active:               	True
Quantity Used:        	2
Service Level:        	
Service Type:         	
Starts:               	10/09/2012
Ends:                 	10/09/2013

[root@jsefler-rhel59 ~]# 

^^^ WRONG. STILL CONSUMING ENTITLEMENT EVEN THOUGH I UNSUBSCRIBED FROM IT




Additional Info:
[root@jsefler-rhel59 ~]# tail -f /var/log/rhsm/rhsm.log

2012-10-11 16:35:41,728 [DEBUG]  @profile.py:95 - Loading current RPM profile.
2012-10-11 16:35:41,965 [INFO]  @managercli.py:252 - Client Versions: {'python-rhsm': '1.0.10-1.el5', 'subscription-manager': '1.0.22-1.el5'} 
2012-10-11 16:35:41,967 [INFO]  @connection.py:498 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/rhsm/ca/, insecure = False
2012-10-11 16:35:41,967 [INFO]  @connection.py:511 - Connection Built: host: jsefler-f14-candlepin.usersys.redhat.com, port: 8443, handler: /candlepin
2012-10-11 16:35:41,968 [INFO]  @connection.py:508 - Using no auth
2012-10-11 16:35:41,968 [INFO]  @connection.py:511 - Connection Built: host: jsefler-f14-candlepin.usersys.redhat.com, port: 8443, handler: /candlepin
2012-10-11 16:35:41,969 [DEBUG]  @connection.py:323 - Loading CA PEM certificates from: /etc/rhsm/ca/
2012-10-11 16:35:41,969 [DEBUG]  @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem'
2012-10-11 16:35:41,970 [DEBUG]  @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/jsefler-f14-candlepin.pem'
2012-10-11 16:35:41,970 [DEBUG]  @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem'
2012-10-11 16:35:41,970 [DEBUG]  @connection.py:344 - Making request: GET /candlepin/
2012-10-11 16:35:42,061 [DEBUG]  @connection.py:357 - Response status: 200
2012-10-11 16:35:42,062 [DEBUG]  @connection.py:528 - Server supports the following resources:
2012-10-11 16:35:42,063 [DEBUG]  @connection.py:529 - {'': '/', 'hypervisors': '/hypervisors', 'serials': '/serials', 'consumers': '/consumers', 'migrations': '/migrations', 'content': '/content', 'entitlements': '/entitlements', 'statistics/generate': '/statistics/generate', 'status': '/status', 'jobs': '/jobs', 'users': '/users', 'subscriptions': '/subscriptions', 'rules': '/rules', 'consumertypes': '/consumertypes', 'activation_keys': '/activation_keys', 'atom': '/atom', 'owners': '/owners', 'roles': '/roles', 'admin': '/admin', 'events': '/events', 'products': '/products', 'pools': '/pools', 'crl': '/crl'}
2012-10-11 16:35:42,065 [DEBUG]  @connection.py:323 - Loading CA PEM certificates from: /etc/rhsm/ca/
2012-10-11 16:35:42,066 [DEBUG]  @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem'
2012-10-11 16:35:42,068 [DEBUG]  @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/jsefler-f14-candlepin.pem'
2012-10-11 16:35:42,069 [DEBUG]  @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem'
2012-10-11 16:35:42,070 [DEBUG]  @connection.py:344 - Making request: GET /candlepin/status
2012-10-11 16:35:42,092 [DEBUG]  @connection.py:357 - Response status: 200
2012-10-11 16:35:42,165 [DEBUG]  @connection.py:323 - Loading CA PEM certificates from: /etc/rhsm/ca/
2012-10-11 16:35:42,166 [DEBUG]  @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem'
2012-10-11 16:35:42,167 [DEBUG]  @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/jsefler-f14-candlepin.pem'
2012-10-11 16:35:42,168 [DEBUG]  @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem'
2012-10-11 16:35:42,170 [DEBUG]  @connection.py:344 - Making request: GET /candlepin/status
2012-10-11 16:35:42,192 [DEBUG]  @connection.py:357 - Response status: 200
2012-10-11 16:35:42,194 [INFO]  @managercli.py:263 - Server Versions: {'candlepin': '0.7.13-1', 'server-type': 'subscription management service'} 
2012-10-11 16:35:42,200 [ERROR]  @certlib.py:268 - [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2012-10-11 16:35:42,201 [ERROR]  @managercli.py:114 - exception caught in subscription-manager
2012-10-11 16:35:42,202 [ERROR]  @managercli.py:115 - 
Traceback (most recent call last):
  File "/usr/sbin/subscription-manager", line 78, in ?
    sys.exit(abs(main() or 0))
  File "/usr/sbin/subscription-manager", line 69, in main
    return managercli.ManagerCLI().main()
  File "/usr/share/rhsm/subscription_manager/cli.py", line 140, in main
    return cmd.main()
  File "/usr/share/rhsm/subscription_manager/managercli.py", line 423, in main
    return_code = self._do_command()
  File "/usr/share/rhsm/subscription_manager/managercli.py", line 1367, in _do_command
    self.certlib.update()
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 61, in update
    return self._do_update()
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 84, in _do_update
    return action.perform()
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 219, in perform
    expected = self.getExpected(report)
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 283, in getExpected
    exp = self.getCertificateSerialsList()
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 276, in getCertificateSerialsList
    reply = self.uep.getCertificateSerials(self._getConsumerId())
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 269, in _getConsumerId
    raise Disconnected()
Disconnected
Comment 1 John Sefler 2012-10-11 16:45:39 EDT
HERE IS THE VALID CERTV3 THAT I USED....
[root@jsefler-rhel59 ~]# cat /tmp/certV3WithKeyForImport.pem 
-----BEGIN CERTIFICATE-----
MIID1DCCAz2gAwIBAgIIebx+LSNv764wDQYJKoZIhvcNAQEFBQAwUjExMC8GA1UE
AwwoanNlZmxlci1mMTQtY2FuZGxlcGluLnVzZXJzeXMucmVkaGF0LmNvbTELMAkG
A1UEBhMCVVMxEDAOBgNVBAcMB1JhbGVpZ2gwHhcNMTIxMDEwMDAwMDAwWhcNMTMx
MDEwMDAwMDAwWjArMSkwJwYDVQQDEyA4YTkwZjgxZDNhNGIwY2Q5MDEzYTRiMTIw
YTE3MGE3ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIq3iAw8d+Wd
sZwvoYvcV3zUU6rzfeHDbt4aXKJBHq7Kr7/mSL+syHQSWuHuvbANJXLiVGnj5G9C
anTZpemCcN5C8lalWv9ROrnY+MCT1EIv2Y6nKsT8Mo7elCWEwm0A+jWeQGfv/8gJ
PuJ/GWIZJphm6ZENYLobv2GdSk4MAwjXcLvhPBfQg9Wv3rX1AC4JQ0HE7GwbjI0q
e5VgiT+t4qgQGLMSAFdhofyGUlZ0f4agaVYRinDd3x1qC4mwtLQ2XuW02NZydugW
lDxfJfTRoszGtIDz1yC1ftU71sG+YPD3ea6PQrrhmg9T7Chg/miAR8Z2MCnRxMg2
hgVMXDl92Z8CAwEAAaOCAVQwggFQMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8E
BAMCBLAwgYIGA1UdIwR7MHmAFJZz2CWhNc5QFb5IxkRWnmZ9HoZOoVakVDBSMTEw
LwYDVQQDDChqc2VmbGVyLWYxNC1jYW5kbGVwaW4udXNlcnN5cy5yZWRoYXQuY29t
MQswCQYDVQQGEwJVUzEQMA4GA1UEBwwHUmFsZWlnaIIJAJpge88hXlHTMB0GA1Ud
DgQWBBSxk6DMVLjjn+fAyPve+mxvMHG/lDATBgNVHSUEDDAKBggrBgEFBQcDAjAS
BgkrBgEEAZIICQYEBQwDMy4wMGEGCSsGAQQBkggJBwRUBFJ42hXKwQmAMBAEwC0m
JUiwG1llJY/ohbtgtHv1O8w95yVP6IZTlxy7GVgHn0BaGaJvBY29ILmqPvkXh8IO
WeAFpiEVtwrlGOD6YKEuPgvrGC4AMA0GCSqGSIb3DQEBBQUAA4GBAEFYKl94OOqY
Mxw+jcIsedMgTLIqSTAw0JuekcMUJxZMvbZBMFFQgDJc2WqXE6dHLAXc3LoLM6Gi
zeQYK13G20sBuRwcSUaV+aAxFF15RjuJFFTDdr8UNaKr3FNa8vYwBU6/F7U3dC76
iKk44Wy8Ab+ptkHFnZbLhZkMjVZOkwhh
-----END CERTIFICATE-----
-----BEGIN ENTITLEMENT DATA-----
eJydUstu2zAQ/BWDyFGqSElWZN3aU24F2p5aBMaKXDuCJdIhqTiGkX/vUnZUG34k
qCzApGZnObPDHZNGu75DyypWl/VUSFSxyMtpnOeYx6W453GZKbVIMa1nHFjEnnvQ
vvFbVqURc33tpG3WvjGaVTvmVj11gg0606Fx8WtZzIucWBo6JOTrHpl8/zlZGDsZ
4Q1Y3eglqzJOTY1coXesErT2IFeEzBtFdMHeImasCnp3TPddPSgvYcYXpVAZ5DWX
asbFsEJQ95yLIjtRPR2aWk+8lIs0FpzeX5xXw/ubalGrPZhdAGlg3oIM9KKgPUhp
eh22Is0yITL6G2SurVG9DDb+7NhePT9+0g+mMvnWEDliL2jdMF2WfREinGjlU+NR
+t5i6M4OU3zci8MgZjyS6v12HQ7Z9t2/E6HdwNbFqKFuKfF3XsRaqLG9VfBC0zFh
6B6djw87cgv+iT4mC2OSsE72DZI7iy2CQ3JBVcv1ct7b9lIhQVTQoQcFHub4um4s
KU05f4vezQiR5tcMnV+50co5NJr4gWryAP7IwKDJm2RkJSPrMAxWLaB1eOLmnEVg
cslQVhw54lfc6DCvG+lcwz8bjj7kccPRae21eIrTeET2UTyXcvlcIHc1XaNw94/v
VHLc5P/zeKTfXy19meQ=
-----END ENTITLEMENT DATA-----
-----BEGIN RSA SIGNATURE-----
QbI3rT/9DeudfqGMVBS3U4KUrgl3iHU+tpho/hbX0LxHTFvrYFVBKeovr2m0q1GT
gMld9xd4LaNwcHhgyu295177KkU/a5bcR27mW0Pvkouq9ZnSuIbDRx43eG1UZOPR
zKi3DzFFMx4gSlVCrx7fpm3x68Rd+2O7zpY1UTAc5Nk=
-----END RSA SIGNATURE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAireIDDx35Z2xnC+hi9xXfNRTqvN94cNu3hpcokEersqvv+ZI
v6zIdBJa4e69sA0lcuJUaePkb0JqdNml6YJw3kLyVqVa/1E6udj4wJPUQi/Zjqcq
xPwyjt6UJYTCbQD6NZ5AZ+//yAk+4n8ZYhkmmGbpkQ1guhu/YZ1KTgwDCNdwu+E8
F9CD1a/etfUALglDQcTsbBuMjSp7lWCJP63iqBAYsxIAV2Gh/IZSVnR/hqBpVhGK
cN3fHWoLibC0tDZe5bTY1nJ26BaUPF8l9NGizMa0gPPXILV+1TvWwb5g8Pd5ro9C
uuGaD1PsKGD+aIBHxnYwKdHEyDaGBUxcOX3ZnwIDAQABAoIBAQCIYvMMtNddl7Jt
UhePn9EVFt48krMOKkzzaw/xJ/229enez9hvPL7KANICme0/D23mislcY4jSK4bn
5KbP9ERtA32p22Kg7YjD+aR6E976RHmvXIUcsKo09nrKeMGA0xkvZq0EhGAEmbKO
l1CptvjPlz/GMlUMJwQAQdow6naBVXHlMOo7XR3HE2mRVDwCzpCk8cU187EFC1IU
J95EfDIva5OxJ1r2Oabm65HYKmsuIBTpwnOxmswFCQ0x/ia1JPTnE/9UCxCkixIY
IF6AkYubXvllDsYKh4psWQnuR3htQlKqOC2yuQHNcWR5WXW+rwhk4DUnO82ZxZGs
4SeB14zBAoGBAPXz1sJd2BfoMy0wZCukMg3zEylU8r4zB+grd8cdo8e1b9WyIdr3
ruRSPUVs/OTu5JcPM6CWsvNhu8/daTJKynYlG5701gdR1qDNQJJUz5+UcGaDsx1x
oj7z7Jy77lueya5BOWwAoighrvtz9fKJW9NbNp3FmX9TafWW/wMuxm4HAoGBAJBi
Oi9N6L9wINo/010VhM/PDukvHtym19cpijmCorP4h98W42qPZxuNIU1aoZeqnbHJ
a4TcKP3Rjyv5yTL4yD95MYHOoHg7y5Czrrhc7bvpAt63FxOgPe5S/DcNvKt3WsjR
lcFz7poHgNu/oUnZTppyvzC5HBN4cQu9s7BnGVGpAoGBAI7m9DrOR8XsNf/lg+4P
Yr3UI6f6IWf9QnTU/K0GPajFdIsXCrCtBELIvaze3DkvzEUwofCGXscmW/c0T/DW
n7fxa5D59HkgRbH8T6419MRlfMEzeBh9c6VcGHgggSdepRPH9dMYsx7aI08aWyZm
RKIS9zLIIp1mG8SDzPtObCB1AoGALZqY/jABf9YOymC2hgQx+uFPuF9lxBP+wLsi
KaAVe/rYD6LPGe1Jh+4/wosJ1znQrUMNbt2LJQB31FAFONBTj5jcBkAZd2CLn5zh
ZuITRPMIMQhrhYtrhEc52rnACfic+CkawAu6JXSRQtd4PjchGK99rAoL0CqOqkK0
6tblrGECgYEA4trUS7ryfqgqDQLtS987diUCY0E2xgCIny+TFq71gDKfUr/nzGBY
Tqmx/5xPZ4NRor0DomcstzCn6dYWCefBAS9QwfdB04pLOBmljmsJ0J7Bd7p202Yd
UfNNc8N651DQnUSAy7+IMtbg66GMc8ZoZyrwyUA1CyRpng6YcjBk+Z0=
-----END RSA PRIVATE KEY-----
Comment 2 RHEL Product and Program Management 2012-10-11 16:48:23 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Devan Goodwin 2012-10-12 14:04:23 EDT
Introduced by the fix for bug #852630, I don't think it's specific to V3 either, it's just all offline unsubscribe is broken now. Going to have to go back and re-fix the other bug.
Comment 4 Devan Goodwin 2012-10-16 11:47:55 EDT
Fixed in subscription-manager.git 6b65e3d082c19f5ea555aa5e2beb7bb4d47b114f

Awood will cherry-pick for 5.9.
Comment 8 John Sefler 2012-10-16 18:35:36 EDT
Verifying Version...
[root@jsefler-rhel59 ~]# rpm -q subscription-manager
subscription-manager-1.0.23-1.el5


Case 1: unsubscribing from an imported certV3 entitlement...

[root@jsefler-rhel59 ~]# subscription-manager unregister
This system is currently not registered.
[root@jsefler-rhel59 ~]# subscription-manager import --certificate /tmp/certV3WithKeyForImport.pem
Successfully imported certificate certV3WithKeyForImport.pem
[root@jsefler-rhel59 ~]# subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+

Subscription Name:    	Awesome OS for x86_64
Provides:             	Awesome OS for x86_64 Bits
SKU:                  	awesomeos-x86_64
Contract:             	66
Account:              	12331131231
Serial Number:        	8772024906544050094
Active:               	True
Quantity Used:        	2
Service Level:        	
Service Type:         	
Starts:               	10/09/2012
Ends:                 	10/09/2013

[root@jsefler-rhel59 ~]# subscription-manager unsubscribe --serial 8772024906544050094
This machine has been unsubscribed from subscription with serial number 8772024906544050094
[root@jsefler-rhel59 ~]# subscription-manager list --consumed
No consumed subscription pools to list



Case 2: simple off-line unsubscribe (no consumer cert)

[root@jsefler-rhel59 ~]# subscription-manager register --username admin --org Test_Org_1349760599 --env Dev --autosubscribe
Password: 
The system has been registered with id: 06ceb6dd-493d-4291-862d-e07ac9a92d34 
Installed Product Current Status:
Product Name:         	Red Hat Enterprise Linux Server
Status:               	Subscribed

[root@jsefler-rhel59 ~]# rm /etc/pki/consumer/*
rm: remove regular file `/etc/pki/consumer/cert.pem'? y
rm: remove regular file `/etc/pki/consumer/key.pem'? y
[root@jsefler-rhel59 ~]# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.
[root@jsefler-rhel59 ~]# subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+

Subscription Name:    	Red Hat Enterprise Linux Server, Standard (1-2 sockets) (Up to 1 guest)
Provides:             	Red Hat Enterprise Linux Server
                      	Red Hat Beta
SKU:                  	RH0101594
Contract:             	3123702
Account:              	1615601
Serial Number:        	410660993383119996
Active:               	True
Quantity Used:        	1
Service Level:        	Standard
Service Type:         	L1-L3
Starts:               	07/17/2012
Ends:                 	07/16/2013

[root@jsefler-rhel59 ~]# subscription-manager unsubscribe --serial 410660993383119996
This machine has been unsubscribed from subscription with serial number 410660993383119996
[root@jsefler-rhel59 ~]# subscription-manager list --consumed
No consumed subscription pools to list


VERIFIED: unsubscribing from an entitlement while system is in an unregistered state is working again
Comment 10 errata-xmlrpc 2013-01-07 23:04:20 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0033.html

Note You need to log in before you can comment on or make changes to this bug.