Red Hat Bugzilla – Bug 890000
Can not auto-subscribe against SAM-20121221.n.1 server
Last modified: 2016-09-19 22:27:54 EDT
Description of problem: After register to the SAM-20121221.n.1 server, auto-subscribe failed Version-Release number of selected component (if applicable): katello-cli-common-1.2.1-11h.el6_3.noarch katello-selinux-1.2.1-1h.el6_3.noarch katello-headpin-all-1.2.1-10h.el6_3.noarch katello-headpin-1.2.1-10h.el6_3.noarch katello-candlepin-cert-key-pair-1.0-1.noarch katello-glue-candlepin-1.2.1-10h.el6_3.noarch katello-common-1.2.1-10h.el6_3.noarch katello-configure-1.2.3-1h.el6_3.noarch katello-cli-1.2.1-11h.el6_3.noarch katello-certs-tools-1.2.1-1h.el6_3.noarch candlepin-tomcat6-0.7.23-1.el6_3.noarch candlepin-0.7.23-1.el6_3.noarch thumbslug-selinux-0.0.28-1.el6_3.noarch thumbslug-0.0.28-1.el6_3.noarch subscription-manager-1.1.14-1.el6.x86_64 How reproducible: always Steps to Reproduce: 1.register to the SAM server #subscribe-manager register --username=admin password: The system has been registered with id: aafa57dc-bd1c-47c5-88c0-9c67f3bd7a6d 2.auto-subscribe some subscription #subscription-manager subscribe --auto Installed Product Current Status: Product Name: Red Hat Enterprise Linux Server Status: Not Subscribed Actual results: auto-subscribe failed Expected results: auto-subscribe should be success Additional info: When list available subscriptions it shows: [root@virtlab-66-84-79 ~]# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Employee Subscription SKU: SYS0395 Pool Id: 8ac28c703bcaee4d013bcaf3e76500a1 Quantity: 50 Service Level: None Service Type: None Multi-Entitlement: No Ends: 09/27/2013 System Type: Physical Subscription Name: 60 Day Supported CloudForms Evaluation SKU: SER0408 Pool Id: 8ac28c703bcaee4d013bcaf3e7f600b6 Quantity: 30 Service Level: Premium Service Type: L1-L3 Multi-Entitlement: No Ends: 01/01/2013 System Type: Physical Subscription Name: Resilient Storage (8 sockets) SKU: RH1316844 Pool Id: 8ac28c703bcaee4d013bcaf3e6ab0081 Quantity: 18 Service Level: Layered Service Type: L1-L3 Multi-Entitlement: No Ends: 02/24/2013 System Type: Physical Subscription Name: Scalable File System (8 sockets) SKU: RH1416373 Pool Id: 8ac28c703bcaee4d013bcaf3e86d00c3 Quantity: 10 Service Level: Layered Service Type: L1-L3 Multi-Entitlement: No Ends: 02/24/2013 System Type: Physical And when register the Red Hat Employee Subscription which can be autosubscribed at the former sam version with Pool ID it shows: [root@virtlab-66-84-79 ~]# subscription-manager subscribe --pool=8ac28c703bcaee4d013bcaf3e76500a1 The support of V3 certificates is not enabled on the server and is required for large content set subscription: Red Hat Employee Subscription It seems that the SAM server doesn't enable V3 certificates.
Created attachment 668428 [details] The manifest that the SAM server use
Created attachment 668670 [details] subscribe via sam web ui
When attach Red Hat Employee Subscription via SAM Web UI, following error message pop up: Resources::Candlepin::Consumer: 500 Internal Server Error {"displayMessage":"The support of V3 certificates is not enabled on the server and is required for large content set subscription: Red Hat Employee Subscription"} (POST /candlepin/consumers/803c5e73-014a-4ef1-b718-a730773c579f/entitlements?pool=8ac28c703bcaee4d013bcaf3e76500a1&quantity=1) (RestClient::InternalServerError) {"displayMessage":"The support of V3 certificates is not enabled on the server and is required for large content set subscription: Red Hat Employee Subscription"} Click here for more details. see pic attached above.
I believe that this is behaving as expected. By default, candlepin disables cert v3 support. This was done so that candlepin could be released before v3 certificate support was ready, and eliminated the need to disable v3 support on any new deployments. *The enable/disable v3 support option will eventually be removed, and v3 support will be the norm.* A check was added to candlepin to not allow attaching a subscription with a large number of content sets. This was because there are issues with using very large certificates on the CDN. This is likely why you could subscribe on older versions of SAM. Adding the following property to candlepin's config file and restarting tomcat should resolve the issue you are seeing. candlepin.enable_cert_v3=true I suggest closing this BZ as NOTABUG.
(In reply to comment #4) > I believe that this is behaving as expected. > > By default, candlepin disables cert v3 support. This was done so that > candlepin could be released before v3 certificate support was ready, and > eliminated the need to disable v3 support on any new deployments. > > *The enable/disable v3 support option will eventually be removed, and v3 > support will be the norm.* > > A check was added to candlepin to not allow attaching a subscription with a > large number of content sets. This was because there are issues with using > very large certificates on the CDN. This is likely why you could subscribe > on older versions of SAM. > > Adding the following property to candlepin's config file and restarting > tomcat should resolve the issue you are seeing. > > candlepin.enable_cert_v3=true > > > I suggest closing this BZ as NOTABUG. Thanks Michael, we can enable cert v3 support now on SAM server following your instruction. 1. Add candlepin.enable_cert_v3=true to /etc/candlepin/candlepin.conf [root@samserv ~]# cat /etc/candlepin/candlepin.conf # # WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL, # CHANGES WILL LIKELY BE OVERWRITTEN. # jpa.config.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect jpa.config.hibernate.connection.driver_class=org.postgresql.Driver jpa.config.hibernate.connection.url=jdbc:postgresql:candlepin jpa.config.hibernate.hbm2ddl.auto=validate jpa.config.hibernate.connection.username=candlepin jpa.config.hibernate.connection.password=$1$6eXPhiSNbY2FDHGNinLamQ== candlepin.consumer_system_name_pattern = .+ candlepin.environment_content_filtering=false module.config.katello=org.candlepin.katello.KatelloModule candlepin.auth.oauth.enabled = true candlepin.auth.oauth.consumer.katello.secret = 7nfvOrPVyMBRdgi8t3aunBlp27GIj8YZ candlepin.crl.file = /var/lib/candlepin/candlepin-crl.crl candlepin.enable_cert_v3=true candlepin.auth.oauth.consumer.thumbslug.secret = 7nfvOrPVyMBRdgi8t3aunBlp27GIj8YZ 2. restart tomcat service tomcat6 restart After cert v3 enable, autosubscribe succeed.
katello-configure will be updated to enable cert v3 in SAM installations
Since katello-configure will be updated to enable cert v3 in SAM installations, I'll verify this bug when new SAM build comes out.
Verified: * candlepin-0.7.23-1.el6_3.noarch * candlepin-tomcat6-0.7.23-1.el6_3.noarch * elasticsearch-0.19.9-5.el6_3.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.2.1-1h.el6_3.noarch * katello-cli-1.2.1-12h.el6_3.noarch * katello-cli-common-1.2.1-12h.el6_3.noarch * katello-common-1.2.1-14h.el6_3.noarch * katello-configure-1.2.3-2h.el6_3.noarch * katello-glue-candlepin-1.2.1-14h.el6_3.noarch * katello-headpin-1.2.1-14h.el6_3.noarch * katello-headpin-all-1.2.1-14h.el6_3.noarch * katello-selinux-1.2.1-2h.el6_3.noarch * thumbslug-0.0.28-1.el6_3.noarch * thumbslug-selinux-0.0.28-1.el6_3.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0544.html