Bug 993039 - Some candlepins generating certs not readable by all clients (like 6.4/5.9 GA clients)
Some candlepins generating certs not readable by all clients (like 6.4/5.9 GA...
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Subscription Management (Show other bugs)
Unspecified Unspecified
unspecified Severity high (vote)
: Unspecified
: --
Assigned To: candlepin-bugs
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2013-08-05 09:29 EDT by Adrian Likins
Modified: 2014-09-11 08:19 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-09-11 08:19:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adrian Likins 2013-08-05 09:29:46 EDT

All of those bugs look to be variations of the same problem. Candlepin
can provide entitlement certificates that come clients do not
understand. The RHEL6.4 and RHEL5.9 clients are particularly
prone to this, so client changes to work around this aren't a
practical solution. In many of the cases, the clients fail to
load and are basically dead in the water. In a lot of the cases.
'rct' also fails to read the cert.

I'm not entirely sure which candlepin versions are effected
(the version that was in sam-1.3 seems to show, as does the
version currently in stage). It also seems like the manifest
export/import process comes into play.

Has some details on trying to use a 6.4 client with a entitlement
cert downloaded manually from stage, for the stage_test_12 user.
Those particular certs have very little info in them (no order, no
content, etc).

To fix it, I think we have to make sure master candlepin (or
any version deployed) will only server certificates that will
work with the 5.9 or 6.4 clients.
Comment 1 Adrian Likins 2013-08-07 09:45:12 EDT
Update on the referenced https://bugzilla.redhat.com/show_bug.cgi?id=974587

The ent certs that access.stage is providing for manual download atm the moment seem to be very busted. Certs downloaded by the client appear to be ok.

Also note that standalone candlepin with test data doesn't seem to ever provide ent certs that break 6.4 clients (or at least, 0.8.x seems okay). But the test data also never creates subscriptions or pools with out order/contract info, which seems to be what is causing some of the problems.

Standalone with imported manifests seem to be able to replicate the problem. https://bugzilla.redhat.com/show_bug.cgi?id=979153 seems to be caused by this.
Comment 2 RHEL Product and Program Management 2013-09-17 00:20:48 EDT
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 5 William Poteat 2014-01-06 13:14:39 EST
fixed as per BZ 995099
Comment 8 Bryan Kearney 2014-02-17 13:17:02 EST
moving to ON_QA as all these are in the latest candlepin build.
Comment 11 sthirugn@redhat.com 2014-08-25 11:54:27 EDT
Verified. (as part of client registration testing for sat6)

rhel 6.4 and 5.9 clients (all archs - x86_64, i386, ppc64, s390x) are able to subscribe/register/consume content from sat6.

Testing included:
Register to Sat6
Subscribe to Sat6
Install package
Remove package
Install package group
Install errata

Version Tested:
GA Snap 6 - Satellite-6.0.4-RHEL-6-20140820.1

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.23-1.el6_5.noarch
* candlepin-common-1.0.1-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.23-1.el6_5.noarch
* candlepin-tomcat6-0.9.23-1.el6_5.noarch
* elasticsearch-0.90.10-6.el6sat.noarch
* foreman-
* foreman-compute-
* foreman-gce-
* foreman-libvirt-
* foreman-ovirt-
* foreman-postgresql-
* foreman-proxy-
* foreman-selinux-
* foreman-vmware-
* katello-1.5.0-29.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el6sat.noarch
* katello-installer-0.0.60-1.el6sat.noarch
* openldap-2.4.23-34.el6_5.1.x86_64
* openldap-devel-2.4.23-34.el6_5.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.30.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.30.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.30.beta.el6sat.noarch
* pulp-server-2.4.0-0.30.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
Comment 12 Bryan Kearney 2014-09-11 08:19:11 EDT
This was delivered with Satellite 6.0 which was released on 10 September 2014.

Note You need to log in before you can comment on or make changes to this bug.