Bug 865590
| Summary: | cannot unsubscribe from an imported certV3 entitlement | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | John Sefler <jsefler> |
| Component: | subscription-manager | Assignee: | Devan Goodwin <dgoodwin> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 5.9 | CC: | awood, dgoodwin |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-01-08 04:04:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 771748 | ||
HERE IS THE VALID CERTV3 THAT I USED.... [root@jsefler-rhel59 ~]# cat /tmp/certV3WithKeyForImport.pem -----BEGIN CERTIFICATE----- MIID1DCCAz2gAwIBAgIIebx+LSNv764wDQYJKoZIhvcNAQEFBQAwUjExMC8GA1UE AwwoanNlZmxlci1mMTQtY2FuZGxlcGluLnVzZXJzeXMucmVkaGF0LmNvbTELMAkG A1UEBhMCVVMxEDAOBgNVBAcMB1JhbGVpZ2gwHhcNMTIxMDEwMDAwMDAwWhcNMTMx MDEwMDAwMDAwWjArMSkwJwYDVQQDEyA4YTkwZjgxZDNhNGIwY2Q5MDEzYTRiMTIw YTE3MGE3ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIq3iAw8d+Wd sZwvoYvcV3zUU6rzfeHDbt4aXKJBHq7Kr7/mSL+syHQSWuHuvbANJXLiVGnj5G9C anTZpemCcN5C8lalWv9ROrnY+MCT1EIv2Y6nKsT8Mo7elCWEwm0A+jWeQGfv/8gJ PuJ/GWIZJphm6ZENYLobv2GdSk4MAwjXcLvhPBfQg9Wv3rX1AC4JQ0HE7GwbjI0q e5VgiT+t4qgQGLMSAFdhofyGUlZ0f4agaVYRinDd3x1qC4mwtLQ2XuW02NZydugW lDxfJfTRoszGtIDz1yC1ftU71sG+YPD3ea6PQrrhmg9T7Chg/miAR8Z2MCnRxMg2 hgVMXDl92Z8CAwEAAaOCAVQwggFQMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8E BAMCBLAwgYIGA1UdIwR7MHmAFJZz2CWhNc5QFb5IxkRWnmZ9HoZOoVakVDBSMTEw LwYDVQQDDChqc2VmbGVyLWYxNC1jYW5kbGVwaW4udXNlcnN5cy5yZWRoYXQuY29t MQswCQYDVQQGEwJVUzEQMA4GA1UEBwwHUmFsZWlnaIIJAJpge88hXlHTMB0GA1Ud DgQWBBSxk6DMVLjjn+fAyPve+mxvMHG/lDATBgNVHSUEDDAKBggrBgEFBQcDAjAS BgkrBgEEAZIICQYEBQwDMy4wMGEGCSsGAQQBkggJBwRUBFJ42hXKwQmAMBAEwC0m JUiwG1llJY/ohbtgtHv1O8w95yVP6IZTlxy7GVgHn0BaGaJvBY29ILmqPvkXh8IO WeAFpiEVtwrlGOD6YKEuPgvrGC4AMA0GCSqGSIb3DQEBBQUAA4GBAEFYKl94OOqY Mxw+jcIsedMgTLIqSTAw0JuekcMUJxZMvbZBMFFQgDJc2WqXE6dHLAXc3LoLM6Gi zeQYK13G20sBuRwcSUaV+aAxFF15RjuJFFTDdr8UNaKr3FNa8vYwBU6/F7U3dC76 iKk44Wy8Ab+ptkHFnZbLhZkMjVZOkwhh -----END CERTIFICATE----- -----BEGIN ENTITLEMENT DATA----- eJydUstu2zAQ/BWDyFGqSElWZN3aU24F2p5aBMaKXDuCJdIhqTiGkX/vUnZUG34k qCzApGZnObPDHZNGu75DyypWl/VUSFSxyMtpnOeYx6W453GZKbVIMa1nHFjEnnvQ vvFbVqURc33tpG3WvjGaVTvmVj11gg0606Fx8WtZzIucWBo6JOTrHpl8/zlZGDsZ 4Q1Y3eglqzJOTY1coXesErT2IFeEzBtFdMHeImasCnp3TPddPSgvYcYXpVAZ5DWX asbFsEJQ95yLIjtRPR2aWk+8lIs0FpzeX5xXw/ubalGrPZhdAGlg3oIM9KKgPUhp eh22Is0yITL6G2SurVG9DDb+7NhePT9+0g+mMvnWEDliL2jdMF2WfREinGjlU+NR +t5i6M4OU3zci8MgZjyS6v12HQ7Z9t2/E6HdwNbFqKFuKfF3XsRaqLG9VfBC0zFh 6B6djw87cgv+iT4mC2OSsE72DZI7iy2CQ3JBVcv1ct7b9lIhQVTQoQcFHub4um4s KU05f4vezQiR5tcMnV+50co5NJr4gWryAP7IwKDJm2RkJSPrMAxWLaB1eOLmnEVg cslQVhw54lfc6DCvG+lcwz8bjj7kccPRae21eIrTeET2UTyXcvlcIHc1XaNw94/v VHLc5P/zeKTfXy19meQ= -----END ENTITLEMENT DATA----- -----BEGIN RSA SIGNATURE----- QbI3rT/9DeudfqGMVBS3U4KUrgl3iHU+tpho/hbX0LxHTFvrYFVBKeovr2m0q1GT gMld9xd4LaNwcHhgyu295177KkU/a5bcR27mW0Pvkouq9ZnSuIbDRx43eG1UZOPR zKi3DzFFMx4gSlVCrx7fpm3x68Rd+2O7zpY1UTAc5Nk= -----END RSA SIGNATURE----- -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAireIDDx35Z2xnC+hi9xXfNRTqvN94cNu3hpcokEersqvv+ZI v6zIdBJa4e69sA0lcuJUaePkb0JqdNml6YJw3kLyVqVa/1E6udj4wJPUQi/Zjqcq xPwyjt6UJYTCbQD6NZ5AZ+//yAk+4n8ZYhkmmGbpkQ1guhu/YZ1KTgwDCNdwu+E8 F9CD1a/etfUALglDQcTsbBuMjSp7lWCJP63iqBAYsxIAV2Gh/IZSVnR/hqBpVhGK cN3fHWoLibC0tDZe5bTY1nJ26BaUPF8l9NGizMa0gPPXILV+1TvWwb5g8Pd5ro9C uuGaD1PsKGD+aIBHxnYwKdHEyDaGBUxcOX3ZnwIDAQABAoIBAQCIYvMMtNddl7Jt UhePn9EVFt48krMOKkzzaw/xJ/229enez9hvPL7KANICme0/D23mislcY4jSK4bn 5KbP9ERtA32p22Kg7YjD+aR6E976RHmvXIUcsKo09nrKeMGA0xkvZq0EhGAEmbKO l1CptvjPlz/GMlUMJwQAQdow6naBVXHlMOo7XR3HE2mRVDwCzpCk8cU187EFC1IU J95EfDIva5OxJ1r2Oabm65HYKmsuIBTpwnOxmswFCQ0x/ia1JPTnE/9UCxCkixIY IF6AkYubXvllDsYKh4psWQnuR3htQlKqOC2yuQHNcWR5WXW+rwhk4DUnO82ZxZGs 4SeB14zBAoGBAPXz1sJd2BfoMy0wZCukMg3zEylU8r4zB+grd8cdo8e1b9WyIdr3 ruRSPUVs/OTu5JcPM6CWsvNhu8/daTJKynYlG5701gdR1qDNQJJUz5+UcGaDsx1x oj7z7Jy77lueya5BOWwAoighrvtz9fKJW9NbNp3FmX9TafWW/wMuxm4HAoGBAJBi Oi9N6L9wINo/010VhM/PDukvHtym19cpijmCorP4h98W42qPZxuNIU1aoZeqnbHJ a4TcKP3Rjyv5yTL4yD95MYHOoHg7y5Czrrhc7bvpAt63FxOgPe5S/DcNvKt3WsjR lcFz7poHgNu/oUnZTppyvzC5HBN4cQu9s7BnGVGpAoGBAI7m9DrOR8XsNf/lg+4P Yr3UI6f6IWf9QnTU/K0GPajFdIsXCrCtBELIvaze3DkvzEUwofCGXscmW/c0T/DW n7fxa5D59HkgRbH8T6419MRlfMEzeBh9c6VcGHgggSdepRPH9dMYsx7aI08aWyZm RKIS9zLIIp1mG8SDzPtObCB1AoGALZqY/jABf9YOymC2hgQx+uFPuF9lxBP+wLsi KaAVe/rYD6LPGe1Jh+4/wosJ1znQrUMNbt2LJQB31FAFONBTj5jcBkAZd2CLn5zh ZuITRPMIMQhrhYtrhEc52rnACfic+CkawAu6JXSRQtd4PjchGK99rAoL0CqOqkK0 6tblrGECgYEA4trUS7ryfqgqDQLtS987diUCY0E2xgCIny+TFq71gDKfUr/nzGBY Tqmx/5xPZ4NRor0DomcstzCn6dYWCefBAS9QwfdB04pLOBmljmsJ0J7Bd7p202Yd UfNNc8N651DQnUSAy7+IMtbg66GMc8ZoZyrwyUA1CyRpng6YcjBk+Z0= -----END RSA PRIVATE KEY----- This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Introduced by the fix for bug #852630, I don't think it's specific to V3 either, it's just all offline unsubscribe is broken now. Going to have to go back and re-fix the other bug. Fixed in subscription-manager.git 6b65e3d082c19f5ea555aa5e2beb7bb4d47b114f Awood will cherry-pick for 5.9. Verifying Version...
[root@jsefler-rhel59 ~]# rpm -q subscription-manager
subscription-manager-1.0.23-1.el5
Case 1: unsubscribing from an imported certV3 entitlement...
[root@jsefler-rhel59 ~]# subscription-manager unregister
This system is currently not registered.
[root@jsefler-rhel59 ~]# subscription-manager import --certificate /tmp/certV3WithKeyForImport.pem
Successfully imported certificate certV3WithKeyForImport.pem
[root@jsefler-rhel59 ~]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Subscriptions
+-------------------------------------------+
Subscription Name: Awesome OS for x86_64
Provides: Awesome OS for x86_64 Bits
SKU: awesomeos-x86_64
Contract: 66
Account: 12331131231
Serial Number: 8772024906544050094
Active: True
Quantity Used: 2
Service Level:
Service Type:
Starts: 10/09/2012
Ends: 10/09/2013
[root@jsefler-rhel59 ~]# subscription-manager unsubscribe --serial 8772024906544050094
This machine has been unsubscribed from subscription with serial number 8772024906544050094
[root@jsefler-rhel59 ~]# subscription-manager list --consumed
No consumed subscription pools to list
Case 2: simple off-line unsubscribe (no consumer cert)
[root@jsefler-rhel59 ~]# subscription-manager register --username admin --org Test_Org_1349760599 --env Dev --autosubscribe
Password:
The system has been registered with id: 06ceb6dd-493d-4291-862d-e07ac9a92d34
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status: Subscribed
[root@jsefler-rhel59 ~]# rm /etc/pki/consumer/*
rm: remove regular file `/etc/pki/consumer/cert.pem'? y
rm: remove regular file `/etc/pki/consumer/key.pem'? y
[root@jsefler-rhel59 ~]# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.
[root@jsefler-rhel59 ~]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Subscriptions
+-------------------------------------------+
Subscription Name: Red Hat Enterprise Linux Server, Standard (1-2 sockets) (Up to 1 guest)
Provides: Red Hat Enterprise Linux Server
Red Hat Beta
SKU: RH0101594
Contract: 3123702
Account: 1615601
Serial Number: 410660993383119996
Active: True
Quantity Used: 1
Service Level: Standard
Service Type: L1-L3
Starts: 07/17/2012
Ends: 07/16/2013
[root@jsefler-rhel59 ~]# subscription-manager unsubscribe --serial 410660993383119996
This machine has been unsubscribed from subscription with serial number 410660993383119996
[root@jsefler-rhel59 ~]# subscription-manager list --consumed
No consumed subscription pools to list
VERIFIED: unsubscribing from an entitlement while system is in an unregistered state is working again
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0033.html |
Description of problem: While the client is unregistered, it should be able to import a certV3 certificate and then unsubscribe from it too. The unsubscribe is failing. Version-Release number of selected component (if applicable): [root@jsefler-rhel59 ~]# rpm -q subscription-manager python-rhsm subscription-manager-1.0.22-1.el5 python-rhsm-1.0.10-1.el5 How reproducible: Steps to Reproduce: [root@jsefler-rhel59 ~]# subscription-manager unregister This system is currently not registered. [root@jsefler-rhel59 ~]# subscription-manager import --certificate /tmp/certV3WithKeyForImport.pem Successfully imported certificate certV3WithKeyForImport.pem [root@jsefler-rhel59 ~]# subscription-manager list --consumed +-------------------------------------------+ Consumed Subscriptions +-------------------------------------------+ Subscription Name: Awesome OS for x86_64 Provides: Awesome OS for x86_64 Bits SKU: awesomeos-x86_64 Contract: 66 Account: 12331131231 Serial Number: 8772024906544050094 Active: True Quantity Used: 2 Service Level: Service Type: Starts: 10/09/2012 Ends: 10/09/2013 [root@jsefler-rhel59 ~]# subscription-manager unsubscribe --serial 8772024906544050094 <============== BANG! FAILS HERE [root@jsefler-rhel59 ~]# echo $? 255 [root@jsefler-rhel59 ~]# subscription-manager list --consumed +-------------------------------------------+ Consumed Subscriptions +-------------------------------------------+ Subscription Name: Awesome OS for x86_64 Provides: Awesome OS for x86_64 Bits SKU: awesomeos-x86_64 Contract: 66 Account: 12331131231 Serial Number: 8772024906544050094 Active: True Quantity Used: 2 Service Level: Service Type: Starts: 10/09/2012 Ends: 10/09/2013 [root@jsefler-rhel59 ~]# ^^^ WRONG. STILL CONSUMING ENTITLEMENT EVEN THOUGH I UNSUBSCRIBED FROM IT Additional Info: [root@jsefler-rhel59 ~]# tail -f /var/log/rhsm/rhsm.log 2012-10-11 16:35:41,728 [DEBUG] @profile.py:95 - Loading current RPM profile. 2012-10-11 16:35:41,965 [INFO] @managercli.py:252 - Client Versions: {'python-rhsm': '1.0.10-1.el5', 'subscription-manager': '1.0.22-1.el5'} 2012-10-11 16:35:41,967 [INFO] @connection.py:498 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/rhsm/ca/, insecure = False 2012-10-11 16:35:41,967 [INFO] @connection.py:511 - Connection Built: host: jsefler-f14-candlepin.usersys.redhat.com, port: 8443, handler: /candlepin 2012-10-11 16:35:41,968 [INFO] @connection.py:508 - Using no auth 2012-10-11 16:35:41,968 [INFO] @connection.py:511 - Connection Built: host: jsefler-f14-candlepin.usersys.redhat.com, port: 8443, handler: /candlepin 2012-10-11 16:35:41,969 [DEBUG] @connection.py:323 - Loading CA PEM certificates from: /etc/rhsm/ca/ 2012-10-11 16:35:41,969 [DEBUG] @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem' 2012-10-11 16:35:41,970 [DEBUG] @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/jsefler-f14-candlepin.pem' 2012-10-11 16:35:41,970 [DEBUG] @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem' 2012-10-11 16:35:41,970 [DEBUG] @connection.py:344 - Making request: GET /candlepin/ 2012-10-11 16:35:42,061 [DEBUG] @connection.py:357 - Response status: 200 2012-10-11 16:35:42,062 [DEBUG] @connection.py:528 - Server supports the following resources: 2012-10-11 16:35:42,063 [DEBUG] @connection.py:529 - {'': '/', 'hypervisors': '/hypervisors', 'serials': '/serials', 'consumers': '/consumers', 'migrations': '/migrations', 'content': '/content', 'entitlements': '/entitlements', 'statistics/generate': '/statistics/generate', 'status': '/status', 'jobs': '/jobs', 'users': '/users', 'subscriptions': '/subscriptions', 'rules': '/rules', 'consumertypes': '/consumertypes', 'activation_keys': '/activation_keys', 'atom': '/atom', 'owners': '/owners', 'roles': '/roles', 'admin': '/admin', 'events': '/events', 'products': '/products', 'pools': '/pools', 'crl': '/crl'} 2012-10-11 16:35:42,065 [DEBUG] @connection.py:323 - Loading CA PEM certificates from: /etc/rhsm/ca/ 2012-10-11 16:35:42,066 [DEBUG] @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem' 2012-10-11 16:35:42,068 [DEBUG] @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/jsefler-f14-candlepin.pem' 2012-10-11 16:35:42,069 [DEBUG] @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem' 2012-10-11 16:35:42,070 [DEBUG] @connection.py:344 - Making request: GET /candlepin/status 2012-10-11 16:35:42,092 [DEBUG] @connection.py:357 - Response status: 200 2012-10-11 16:35:42,165 [DEBUG] @connection.py:323 - Loading CA PEM certificates from: /etc/rhsm/ca/ 2012-10-11 16:35:42,166 [DEBUG] @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem' 2012-10-11 16:35:42,167 [DEBUG] @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/jsefler-f14-candlepin.pem' 2012-10-11 16:35:42,168 [DEBUG] @connection.py:305 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem' 2012-10-11 16:35:42,170 [DEBUG] @connection.py:344 - Making request: GET /candlepin/status 2012-10-11 16:35:42,192 [DEBUG] @connection.py:357 - Response status: 200 2012-10-11 16:35:42,194 [INFO] @managercli.py:263 - Server Versions: {'candlepin': '0.7.13-1', 'server-type': 'subscription management service'} 2012-10-11 16:35:42,200 [ERROR] @certlib.py:268 - [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem' 2012-10-11 16:35:42,201 [ERROR] @managercli.py:114 - exception caught in subscription-manager 2012-10-11 16:35:42,202 [ERROR] @managercli.py:115 - Traceback (most recent call last): File "/usr/sbin/subscription-manager", line 78, in ? sys.exit(abs(main() or 0)) File "/usr/sbin/subscription-manager", line 69, in main return managercli.ManagerCLI().main() File "/usr/share/rhsm/subscription_manager/cli.py", line 140, in main return cmd.main() File "/usr/share/rhsm/subscription_manager/managercli.py", line 423, in main return_code = self._do_command() File "/usr/share/rhsm/subscription_manager/managercli.py", line 1367, in _do_command self.certlib.update() File "/usr/share/rhsm/subscription_manager/certlib.py", line 61, in update return self._do_update() File "/usr/share/rhsm/subscription_manager/certlib.py", line 84, in _do_update return action.perform() File "/usr/share/rhsm/subscription_manager/certlib.py", line 219, in perform expected = self.getExpected(report) File "/usr/share/rhsm/subscription_manager/certlib.py", line 283, in getExpected exp = self.getCertificateSerialsList() File "/usr/share/rhsm/subscription_manager/certlib.py", line 276, in getCertificateSerialsList reply = self.uep.getCertificateSerials(self._getConsumerId()) File "/usr/share/rhsm/subscription_manager/certlib.py", line 269, in _getConsumerId raise Disconnected() Disconnected