Description of problem: After the fix for bug 988476 was implemented, it revealed that the rhsm.conf parameter for ca_cert_dir was in the wrong section. Currectly it is located in the [server] section and it should be moved to the [rhsm] section. Version-Release number of selected component (if applicable): [root@jsefler-5 ~]# rpm -q python-rhsm subscription-manager python-rhsm-1.8.16-1.el5 subscription-manager-1.8.16-1.el How reproducible: Steps to Reproduce: [root@jsefler-5 ~]# cat /etc/rhsm/rhsm.conf # Red Hat Subscription Manager Configuration File: # Unified Entitlement Platform Configuration [server] # Server hostname: hostname=subscription.rhn.redhat.com # Server subscription: prefix=/candlepin # Server port: port=443 # Set to 1 to disable certificate validation: insecure=0 # Set the depth of certs which should be checked # when validating a certificate ssl_verify_depth = 3 # Server CA certificate location: <============ MOVE THIS LINE UNDER [rhsm] ca_cert_dir = /etc/rhsm/ca/ <============ MOVE THIS LINE UNDER [rhsm] # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = [rhsm] # Content base URL: baseurl=https://cdn.redhat.com # Default CA cert to use when generating yum repo configs: repo_ca_cert=%(ca_cert_dir)sredhat-uep.pem # Where the certificates should be stored productCertDir=/etc/pki/product entitlementCertDir=/etc/pki/entitlement consumerCertDir=/etc/pki/consumer # Manage generation of yum repositories for subscribed content: manage_repos = 1 # If set to zero, the client will not report the package profile to # the subscription management service. report_package_profile = 1 # The directory to search for subscription manager plugins pluginDir = /usr/share/rhsm-plugins # The directory to search for plugin configuration files pluginConfDir = /etc/rhsm/pluginconf.d [rhsmcertd] # Interval to run cert check (in minutes): certCheckInterval = 240 # Interval to run auto-attach (in minutes): autoAttachInterval = 1440 Additional info: Reference file: /usr/lib64/python2.4/site-packages/rhsm/config.py
The reason I am setting this to HIGH severity is because if the user needs to change the ca_cert_dir value, his changes will be useless in the [server] section. Moreover, the repo_ca_cert configuration in the [rshm] section of the config file defaults to repo_ca_cert=%(ca_cert_dir)sredhat-uep.pem which depends on ca_cert_dir, but it will remain set to it's default value no matter how much the user changes the ca_cert_dir in the [server] section.
commit ce1be44d159c3d5a8339274dd15e56455f35b845 Author: ckozak <ckozak> Date: Mon Aug 5 16:11:55 2013 -0400 993202: fix default config, take advantage of rhsmconfig options
Verified!! [root@localhost ~]# subscription-manager version server type: Red Hat Subscription Management subscription management server: Unknown subscription-manager: 1.8.19-1.el5 python-rhsm: 1.8.16-1.el5 [root@localhost ~]# cat /etc/rhsm/rhsm.conf # Red Hat Subscription Manager Configuration File: # Unified Entitlement Platform Configuration [server] # Server hostname: hostname = subscription.rhn.redhat.com # Server prefix: prefix = /subscription # Server port: port = 443 # Set to 1 to disable certificate validation: insecure = 0 # Set the depth of certs which should be checked # when validating a certificate ssl_verify_depth = 3 # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = [rhsm] # Content base URL: baseurl= https://cdn.redhat.com # Server CA certificate location: ca_cert_dir = /etc/rhsm/ca/ ------------> under [rhsm] # Default CA cert to use when generating yum repo configs: repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem # Where the certificates should be stored productCertDir = /etc/pki/product entitlementCertDir = /etc/pki/entitlement consumerCertDir = /etc/pki/consumer # Manage generation of yum repositories for subscribed content: manage_repos = 1 # If set to zero, the client will not report the package profile to # the subscription management service. report_package_profile = 1 # The directory to search for subscription manager plugins pluginDir = /usr/share/rhsm-plugins # The directory to search for plugin configuration files pluginConfDir = /etc/rhsm/pluginconf.d [rhsmcertd] # Interval to run cert check (in minutes): certCheckInterval = 240 # Interval to run auto-attach (in minutes): autoAttachInterval = 1440
Warning: Although this bug is VERIFIED (for a new install of subscription-manager), if the user begins with an older rhsm.conf file where the ca_cert_dir has been changed from its default value in the original [server] section of the rhsm.conf file, an rpm upgrade to subscription-manager-1.8.19 will NOT transfer the non-default value to the [rhsm] section of the rhsm.conf file. The result could be errors like "[Errno 14] Peer cert cannot be verified or peer cert invalid." If this happens, then a manual solution is to edit /etc/rhsm/rhsm.conf and move the ca_cert_dir from the [server] to the [rhsm] section.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1332.html