Bug 993039 – Some candlepins generating certs not readable by all clients (like 6.4/5.9 GA clients)

Bug 993039 - Some candlepins generating certs not readable by all clients (like 6.4/5.9 GA clients)

Summary:	Some candlepins generating certs not readable by all clients (like 6.4/5.9 GA...

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Red Hat Satellite 6
Classification:	Red Hat
Component:	Subscription Management (Show other bugs)
Sub Component:
Version:	Nightly
Hardware:	Unspecified Unspecified

Priority	unspecified Severity high (vote)
Target Milestone:	Unspecified
Target Release:	--
Assigned To:	candlepin-bugs
QA Contact:	sthirugn@redhat.com
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2013-08-05 09:29 EDT by Adrian Likins
Modified:	2014-09-11 08:19 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-09-11 08:19:11 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adrian Likins 2013-08-05 09:29:46 EDT

https://bugzilla.redhat.com/show_bug.cgi?id=974587
https://bugzilla.redhat.com/show_bug.cgi?id=979153
https://bugzilla.redhat.com/show_bug.cgi?id=969464
https://bugzilla.redhat.com/show_bug.cgi?id=972718
etc

All of those bugs look to be variations of the same problem. Candlepin
can provide entitlement certificates that come clients do not
understand. The RHEL6.4 and RHEL5.9 clients are particularly
prone to this, so client changes to work around this aren't a
practical solution. In many of the cases, the clients fail to
load and are basically dead in the water. In a lot of the cases.
'rct' also fails to read the cert.

I'm not entirely sure which candlepin versions are effected
(the version that was in sam-1.3 seems to show, as does the
version currently in stage). It also seems like the manifest
export/import process comes into play.

https://bugzilla.redhat.com/show_bug.cgi?id=974587
Has some details on trying to use a 6.4 client with a entitlement
cert downloaded manually from stage, for the stage_test_12 user.
Those particular certs have very little info in them (no order, no
content, etc).



To fix it, I think we have to make sure master candlepin (or
any version deployed) will only server certificates that will
work with the 5.9 or 6.4 clients.

Comment 1 Adrian Likins 2013-08-07 09:45:12 EDT

Update on the referenced https://bugzilla.redhat.com/show_bug.cgi?id=974587

The ent certs that access.stage is providing for manual download atm the moment seem to be very busted. Certs downloaded by the client appear to be ok.

Also note that standalone candlepin with test data doesn't seem to ever provide ent certs that break 6.4 clients (or at least, 0.8.x seems okay). But the test data also never creates subscriptions or pools with out order/contract info, which seems to be what is causing some of the problems.

Standalone with imported manifests seem to be able to replicate the problem. https://bugzilla.redhat.com/show_bug.cgi?id=979153 seems to be caused by this.

Comment 2 RHEL Product and Program Management 2013-09-17 00:20:48 EDT

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 5 William Poteat 2014-01-06 13:14:39 EST

fixed as per BZ 995099

Comment 8 Bryan Kearney 2014-02-17 13:17:02 EST

moving to ON_QA as all these are in the latest candlepin build.

Comment 11 sthirugn@redhat.com 2014-08-25 11:54:27 EDT

Verified. (as part of client registration testing for sat6)

rhel 6.4 and 5.9 clients (all archs - x86_64, i386, ppc64, s390x) are able to subscribe/register/consume content from sat6.

Testing included:
Register to Sat6
Subscribe to Sat6
Install package
Remove package
Install package group
Install errata

Version Tested:
GA Snap 6 - Satellite-6.0.4-RHEL-6-20140820.1

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.23-1.el6_5.noarch
* candlepin-common-1.0.1-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.23-1.el6_5.noarch
* candlepin-tomcat6-0.9.23-1.el6_5.noarch
* elasticsearch-0.90.10-6.el6sat.noarch
* foreman-1.6.0.41-1.el6sat.noarch
* foreman-compute-1.6.0.41-1.el6sat.noarch
* foreman-gce-1.6.0.41-1.el6sat.noarch
* foreman-libvirt-1.6.0.41-1.el6sat.noarch
* foreman-ovirt-1.6.0.41-1.el6sat.noarch
* foreman-postgresql-1.6.0.41-1.el6sat.noarch
* foreman-proxy-1.6.0.29-1.el6sat.noarch
* foreman-selinux-1.6.0.7-1.el6sat.noarch
* foreman-vmware-1.6.0.41-1.el6sat.noarch
* katello-1.5.0-29.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el6sat.noarch
* katello-installer-0.0.60-1.el6sat.noarch
* openldap-2.4.23-34.el6_5.1.x86_64
* openldap-devel-2.4.23-34.el6_5.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.30.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.30.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.30.beta.el6sat.noarch
* pulp-server-2.4.0-0.30.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch

Comment 12 Bryan Kearney 2014-09-11 08:19:11 EDT

This was delivered with Satellite 6.0 which was released on 10 September 2014.

Note You need to log in before you can comment on or make changes to this bug.