993039 – Some candlepins generating certs not readable by all clients (like 6.4/5.9 GA clients)

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 993039 - Some candlepins generating certs not readable by all clients (like 6.4/5.9 GA clients)

Summary: Some candlepins generating certs not readable by all clients (like 6.4/5.9 GA...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Subscription Management
Sub Component:
Version:	Nightly
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	candlepin-bugs
QA Contact:	sthirugn@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-05 13:29 UTC by Adrian Likins
Modified:	2019-09-26 18:19 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-11 12:19:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Adrian Likins 2013-08-05 13:29:46 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=974587
https://bugzilla.redhat.com/show_bug.cgi?id=979153
https://bugzilla.redhat.com/show_bug.cgi?id=969464
https://bugzilla.redhat.com/show_bug.cgi?id=972718
etc

All of those bugs look to be variations of the same problem. Candlepin
can provide entitlement certificates that come clients do not
understand. The RHEL6.4 and RHEL5.9 clients are particularly
prone to this, so client changes to work around this aren't a
practical solution. In many of the cases, the clients fail to
load and are basically dead in the water. In a lot of the cases.
'rct' also fails to read the cert.

I'm not entirely sure which candlepin versions are effected
(the version that was in sam-1.3 seems to show, as does the
version currently in stage). It also seems like the manifest
export/import process comes into play.

https://bugzilla.redhat.com/show_bug.cgi?id=974587
Has some details on trying to use a 6.4 client with a entitlement
cert downloaded manually from stage, for the stage_test_12 user.
Those particular certs have very little info in them (no order, no
content, etc).



To fix it, I think we have to make sure master candlepin (or
any version deployed) will only server certificates that will
work with the 5.9 or 6.4 clients.

Comment 1 Adrian Likins 2013-08-07 13:45:12 UTC

Update on the referenced https://bugzilla.redhat.com/show_bug.cgi?id=974587

The ent certs that access.stage is providing for manual download atm the moment seem to be very busted. Certs downloaded by the client appear to be ok.

Also note that standalone candlepin with test data doesn't seem to ever provide ent certs that break 6.4 clients (or at least, 0.8.x seems okay). But the test data also never creates subscriptions or pools with out order/contract info, which seems to be what is causing some of the problems.

Standalone with imported manifests seem to be able to replicate the problem. https://bugzilla.redhat.com/show_bug.cgi?id=979153 seems to be caused by this.

Comment 2 RHEL Program Management 2013-09-17 04:20:48 UTC

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 5 William Poteat 2014-01-06 18:14:39 UTC

fixed as per BZ 995099

Comment 8 Bryan Kearney 2014-02-17 18:17:02 UTC

moving to ON_QA as all these are in the latest candlepin build.

Comment 11 sthirugn@redhat.com 2014-08-25 15:54:27 UTC

Verified. (as part of client registration testing for sat6)

rhel 6.4 and 5.9 clients (all archs - x86_64, i386, ppc64, s390x) are able to subscribe/register/consume content from sat6.

Testing included:
Register to Sat6
Subscribe to Sat6
Install package
Remove package
Install package group
Install errata

Version Tested:
GA Snap 6 - Satellite-6.0.4-RHEL-6-20140820.1

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.23-1.el6_5.noarch
* candlepin-common-1.0.1-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.23-1.el6_5.noarch
* candlepin-tomcat6-0.9.23-1.el6_5.noarch
* elasticsearch-0.90.10-6.el6sat.noarch
* foreman-1.6.0.41-1.el6sat.noarch
* foreman-compute-1.6.0.41-1.el6sat.noarch
* foreman-gce-1.6.0.41-1.el6sat.noarch
* foreman-libvirt-1.6.0.41-1.el6sat.noarch
* foreman-ovirt-1.6.0.41-1.el6sat.noarch
* foreman-postgresql-1.6.0.41-1.el6sat.noarch
* foreman-proxy-1.6.0.29-1.el6sat.noarch
* foreman-selinux-1.6.0.7-1.el6sat.noarch
* foreman-vmware-1.6.0.41-1.el6sat.noarch
* katello-1.5.0-29.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el6sat.noarch
* katello-installer-0.0.60-1.el6sat.noarch
* openldap-2.4.23-34.el6_5.1.x86_64
* openldap-devel-2.4.23-34.el6_5.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.30.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.30.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.30.beta.el6sat.noarch
* pulp-server-2.4.0-0.30.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch

Comment 12 Bryan Kearney 2014-09-11 12:19:11 UTC

This was delivered with Satellite 6.0 which was released on 10 September 2014.

Note You need to log in before you can comment on or make changes to this bug.