Bug 993202 - rhsm.conf default configuration server.ca_cert_dir should be moved to rhsm.ca_cert_dir
rhsm.conf default configuration server.ca_cert_dir should be moved to rhsm.ca...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: subscription-manager (Show other bugs)
5.10
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Carter Kozak
IDM QE LIST
:
Depends On:
Blocks: rhsm-rhel510
  Show dependency treegraph
 
Reported: 2013-08-05 12:56 EDT by John Sefler
Modified: 2013-09-30 19:15 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: By default we use interpolation for repo_ca_cert, it depends upon ca_cert_dir. ca_cert_dir was in a different section, which causes interpolation problems. Consequence: ca_cert_dir has been moved from the server section into rhsm. Default values will be used for ca_cert_dir and repo_ca_cert if ca_cert_dir is not present in the rhsm section, and repo_ca_cert uses interpolation (ex: %(ca_cert_dir)sredhat-uep.pem) Fix: Move the ca_cert_directory config line from the [server] section into [rhsm] Result: Functionality will remain the same as older versions
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-30 19:15:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Sefler 2013-08-05 12:56:40 EDT
Description of problem:
After the fix for bug 988476 was implemented, it revealed that the rhsm.conf parameter for ca_cert_dir was in the wrong section.  Currectly it is located in the [server] section and it should be moved to the [rhsm] section.

Version-Release number of selected component (if applicable):
[root@jsefler-5 ~]# rpm -q python-rhsm subscription-manager
python-rhsm-1.8.16-1.el5
subscription-manager-1.8.16-1.el

How reproducible:


Steps to Reproduce:


[root@jsefler-5 ~]# cat /etc/rhsm/rhsm.conf
# Red Hat Subscription Manager Configuration File:

# Unified Entitlement Platform Configuration
[server]
# Server hostname:
hostname=subscription.rhn.redhat.com

# Server subscription:
prefix=/candlepin

# Server port:
port=443

# Set to 1 to disable certificate validation:
insecure=0

# Set the depth of certs which should be checked
# when validating a certificate
ssl_verify_depth = 3

# Server CA certificate location:    <============ MOVE THIS LINE UNDER [rhsm]
ca_cert_dir = /etc/rhsm/ca/          <============ MOVE THIS LINE UNDER [rhsm]

# an http proxy server to use
proxy_hostname =

# port for http proxy server
proxy_port =

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

[rhsm]
# Content base URL:
baseurl=https://cdn.redhat.com

# Default CA cert to use when generating yum repo configs:
repo_ca_cert=%(ca_cert_dir)sredhat-uep.pem

# Where the certificates should be stored
productCertDir=/etc/pki/product
entitlementCertDir=/etc/pki/entitlement
consumerCertDir=/etc/pki/consumer

# Manage generation of yum repositories for subscribed content:
manage_repos = 1

# If set to zero, the client will not report the package profile to
# the subscription management service.
report_package_profile = 1

# The directory to search for subscription manager plugins
pluginDir = /usr/share/rhsm-plugins

# The directory to search for plugin configuration files
pluginConfDir = /etc/rhsm/pluginconf.d

[rhsmcertd]
# Interval to run cert check (in minutes):
certCheckInterval = 240
# Interval to run auto-attach (in minutes):
autoAttachInterval = 1440






Additional info:
Reference file: /usr/lib64/python2.4/site-packages/rhsm/config.py
Comment 1 John Sefler 2013-08-05 13:07:41 EDT
The reason I am setting this to HIGH severity is because if the user needs to change the ca_cert_dir value, his changes will be useless in the [server] section.  Moreover, the repo_ca_cert configuration in the [rshm] section of the config file defaults to repo_ca_cert=%(ca_cert_dir)sredhat-uep.pem which depends on ca_cert_dir, but it will remain set to it's default value no matter how much the user changes the ca_cert_dir in the [server] section.
Comment 2 Carter Kozak 2013-08-06 08:56:27 EDT
commit ce1be44d159c3d5a8339274dd15e56455f35b845
Author: ckozak <ckozak@redhat.com>
Date:   Mon Aug 5 16:11:55 2013 -0400

    993202: fix default config, take advantage of rhsmconfig options
Comment 4 Shwetha Kallesh 2013-08-08 08:05:09 EDT
Verified!!

[root@localhost ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: Unknown
subscription-manager: 1.8.19-1.el5
python-rhsm: 1.8.16-1.el5



[root@localhost ~]# cat /etc/rhsm/rhsm.conf
# Red Hat Subscription Manager Configuration File:

# Unified Entitlement Platform Configuration
[server]
# Server hostname:
hostname = subscription.rhn.redhat.com

# Server prefix:
prefix = /subscription

# Server port:
port = 443

# Set to 1 to disable certificate validation:
insecure = 0

# Set the depth of certs which should be checked
# when validating a certificate
ssl_verify_depth = 3

# an http proxy server to use
proxy_hostname =

# port for http proxy server
proxy_port =

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

[rhsm]
# Content base URL:
baseurl= https://cdn.redhat.com

# Server CA certificate location:
ca_cert_dir = /etc/rhsm/ca/   ------------> under [rhsm]

# Default CA cert to use when generating yum repo configs:
repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem

# Where the certificates should be stored
productCertDir = /etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer

# Manage generation of yum repositories for subscribed content:
manage_repos = 1

# If set to zero, the client will not report the package profile to
# the subscription management service.
report_package_profile = 1

# The directory to search for subscription manager plugins
pluginDir = /usr/share/rhsm-plugins

# The directory to search for plugin configuration files
pluginConfDir = /etc/rhsm/pluginconf.d

[rhsmcertd]
# Interval to run cert check (in minutes):
certCheckInterval = 240
# Interval to run auto-attach (in minutes):
autoAttachInterval = 1440
Comment 5 John Sefler 2013-08-15 18:12:27 EDT
Warning: Although this bug is VERIFIED (for a new install of subscription-manager), if the user begins with an older rhsm.conf file where the ca_cert_dir has been changed from its default value in the original [server] section of the rhsm.conf file, an rpm upgrade to subscription-manager-1.8.19 will NOT transfer the non-default value to the [rhsm] section of the rhsm.conf file.  The result could be errors like "[Errno 14] Peer cert cannot be verified or peer cert invalid."  If this happens, then a manual solution is to edit /etc/rhsm/rhsm.conf and move the ca_cert_dir from the [server] to the [rhsm] section.
Comment 7 errata-xmlrpc 2013-09-30 19:15:57 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1332.html

Note You need to log in before you can comment on or make changes to this bug.