Description of problem: Within katello our bootstrap scripts configure rhsm with the following configuration: <SNIP> [rhsm] baseurl=https://abed.usersys.redhat.com/pulp/repos repo_ca_cert = %(ca_cert_dir)scandlepin-local.pem <SNIP> Because ca_cert_dir is not defined in this section, the entire repo_ca_cert line is ignored completely and it defaults to redhat-uep.pem in /etc/rhsm/ca/. How reproducible: Always Steps to Reproduce: 1. Install python-rhsm-1.1.8-1.el6.x86_64.rpm 2. Change config in /etc/rhsm/rhsm.conf: repo_ca_cert = %(ca_cert_dir)scandlepin-local.pem 2. run 'subscription-manager config' 3. Note that repo_ca_cert is correct and points to /etc/rhsm/ca/candlepin-local.pem under [rhsm] 4. Upgrade to newer RHEL 6.5 subscription manager 5. Re-run 'subscription-manager config' Actual results: repo_ca_cert shows up as /etc/rhsm/ca/redhat-uep.pem under [rhsm] [rhsm] baseurl = https://abed.usersys.redhat.com/pulp/repos ca_cert_dir = [/etc/rhsm/ca/] repo_ca_cert = /etc/rhsm/ca/redhat-uep.pem Expected results: repo_ca_cert shows up as /etc/rhsm/ca/candlepin-local.pem under [rhsm] [rhsm] baseurl = https://abed.usersys.redhat.com/pulp/repos ca_cert_dir = [/etc/rhsm/ca/] repo_ca_cert = /etc/rhsm/ca/candlepin-local.pem
Created attachment 786713 [details] Sample rhsm config file that shows the issue.
Also for completeness, the error the user receives is: [Errno 14] Peer cert cannot be verified or peer cert invalid
This bug has been judged urgent for fix to be included in the rhel510 release. This bug is present in subscription-manager-1.8.20-1.el5
commit 0c4286ad423d5078575a4459fdcc7d9f0896630a Author: ckozak <ckozak> Date: Thu Aug 15 09:03:24 2013 -0400 997194: fix interpolation of default values
Reporoducing error on version ... [root@mgmt2 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: Unknown subscription-manager: 1.8.20-1.el5 python-rhsm: 1.8.16-1.el5 Starting with an old rhsm.conf prior to Bug 993202 [root@mgmt2 ~]# cat /etc/rhsm/rhsm.conf # Red Hat Subscription Manager Configuration File: # Unified Entitlement Platform Configuration [server] # Server hostname: hostname = subscription.rhn.redhat.com # Server prefix: prefix = /subscription # Server port: port = 443 # Set to 1 to disable certificate validation: insecure = 0 # Set the depth of certs which should be checked # when validating a certificate ssl_verify_depth = 3 # Server CA certificate location: ca_cert_dir = /etc/rhsm/ca/ # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = [rhsm] # Content base URL: baseurl= https://cdn.redhat.com # Default CA cert to use when generating yum repo configs: repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem # Where the certificates should be stored productCertDir = /etc/pki/product entitlementCertDir = /etc/pki/entitlement consumerCertDir = /etc/pki/consumer # Manage generation of yum repositories for subscribed content: manage_repos = 1 [rhsmcertd] # Frequency of certificate refresh (in minutes): certFrequency = 240 # Frequency of autoheal check (1440 min = 1 day): healFrequency = 1440 [root@mgmt2 ~]# subscription-manager config --list | grep repo_ca_cert repo_ca_cert = [/etc/rhsm/ca/redhat-uep.pem] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Notice that repo_ca_cert expands to the default value. This is correct. Now let's change the default rhsm.conf setting for repo_ca_cert... [root@mgmt2 ~]# sed -i s/repo_ca_cert\ =\ %\(ca_cert_dir\)sredhat-uep.pem/repo_ca_cert\ =\ %\(ca_cert_dir\)scandlepin-local.pem/g /etc/rhsm/rhsm.conf [root@mgmt2 ~]# grep repo_ca_cert /etc/rhsm/rhsm.conf repo_ca_cert = %(ca_cert_dir)scandlepin-local.pem [root@mgmt2 ~]# subscription-manager config --list | grep repo_ca_cert repo_ca_cert = [/etc/rhsm/ca/redhat-uep.pem] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ BANG! Although the default value for rhsm.conf parameter repo_ca_cert was indeed changed, it's value is not getting interpolated. Now let's upgrade to the fixed version of python-rhsm... [root@mgmt2 ~]# rpm -Uvh http://download.devel.redhat.com/brewroot/packages/python-rhsm/1.8.17/1.el5/i386/python-rhsm-1.8.17-1.el5.i386.rpm Retrieving http://download.devel.redhat.com/brewroot/packages/python-rhsm/1.8.17/1.el5/i386/python-rhsm-1.8.17-1.el5.i386.rpm Preparing... ########################################### [100%] 1:python-rhsm ########################################### [100%] [root@mgmt2 ~]# rpm -q python-rhsm python-rhsm-1.8.17-1.el5 And now let's check what is being interpolated... [root@mgmt2 ~]# subscription-manager config --list | grep repo_ca_cert repo_ca_cert = /etc/rhsm/ca/candlepin-local.pem ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Success! This what we wanted. Moving to VERIFIED
*** Bug 998950 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1331.html