Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-130556

SSL errors during initial registration are masked by misleading certificate error message

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.1, rhel-9.7
    • subscription-manager
    • None
    • None
    • None
    • subs-client-tools-2
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      This is a copy of a bug report from upstream issue 3640 by rhn-engineering-jlenz

      What were you trying to do that didn't work?

      When subscription-manager register encounters an SSL/TLS error during initial registration, the real error is masked by a misleading message about a missing consumer
      certificate file:

      Error loading certificate: [Errno 2] No such file or directory: '/etc/pki/consumer/cert.pem'

      This occurs because the SSL error handler in connection.py (lines 1076-1081) attempts to check if the identity certificate is expired, but doesn't verify the file
      exists before trying to load it. During initial registration, /etc/pki/consumer/cert.pem doesn't exist yet (it's created during registration), causing certificate.create_from_file() to raise an exception that masks the actual SSL error.

      What is the impact of this issue to you?

      This makes troubleshooting registration failures difficult, as users and support teams are misled into thinking there's a certificate problem when the real issue is SSL/TLS configuration.

      Please provide the package NVR for which the bug is seen:

      Affects all versions since 2012, particularly problematic since 2019

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Configure subscription-manager to connect to a server with SSL issues (e.g., hostname mismatch, invalid CA cert, or HTTP instead of HTTPS)
      2. Run subscription-manager register --org=ORG --activationkey=KEY
      3. Observe the misleading certificate error instead of the actual SSL error

      Expected results

      The actual SSL/TLS error should be reported (e.g., "Hostname mismatch", "Certificate verification failed", "Connection refused on HTTPS port")

      Actual results

      Users see: Error loading certificate: [Errno 2] No such file or directory: '/etc/pki/consumer/cert.pem'

      Proposed Fix

      except ssl.SSLError:
    if self.cert_file and not self.cert_dir:
        if os.path.exists(self.cert_file):  # Add this check
            id_cert = certificate.create_from_file(self.cert_file)
            if not id_cert.is_valid():
                self.is_consumer_cert_key_valid = False
                raise ExpiredIdentityCertException()
    if not self.cert_dir:
        raise

      Additional Context

      Affected locations:

      • src/rhsm/connection.py:1078 (main SSL error handler)
      • src/rhsm/connection.py:1316 (proxy error handler - same bug)
      • Bug introduced: Commit 714a0fe4 (Dec 2012) - original implementation
      • Made worse: Commit 6d934c13 (Sep 2019) - token support refactoring changed exception flow
      • Affects all versions since 2012, particularly problematic since 2019

              csi-client-tools-bugs CSI Client Tools Bugs Bot
              mhorky@redhat.com Matyas Horky
              CSI Client Tools Bugs Bot CSI Client Tools Bugs Bot
              CSI Client Tools Bugs Bot CSI Client Tools Bugs Bot
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: