Loading...

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: rhel-8.10, rhel-9.7
Component/s: subscription-manager
Labels:
None

Regression:
None
Severity:
Low

AssignedTeam:
subs-client-tools-2

Story Points:
None
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

x86_64

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Registering a content host to a Satellite server with the following 2 criteria:

1. the /etc/rhsm/ca/katello-server-ca.pem file is missing
2. the --activation flag is used with the subscription-manager command

Will result in an error message about the cert.pem file missing, and not about the missing CA certificate:

[root@host1 ~]# subscription-manager register --activationkey=rhel9 --org=Yoder
Error loading certificate: [Errno 2] No such file or directory: '/etc/pki/consumer/cert.pem'

If we don't use the --activationkey flag, the error will be correct:

[root@host1 ~]# subscription-manager register
Registering to: satellite.example.com:443/rhsm
Username: admin
Password: 
Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

From the logs when the --activationkey flag is used, we see one line about a certificate verify failed:

ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

It would be more helpful to the end user if this error was given in the subscription-manager output to the terminal, and not mention the cert.pem file.

The entire /var/log/rhsm/rhsm.log for the failed registration with the --activationkey flag used:

2025-12-14 13:19:36,708 [DEBUG] subscription-manager:1801:MainThread @https.py:56 - Using standard libs to provide httplib and ssl
2025-12-14 13:19:36,874 [DEBUG] subscription-manager:1801:MainThread @ga_loader.py:91 - ga_loader GaImporterGtk3
2025-12-14 13:19:36,901 [DEBUG] subscription-manager:1801:MainThread @ga_loader.py:91 - ga_loader GaImporterGtk3
2025-12-14 13:19:36,902 [DEBUG] subscription-manager:1801:MainThread @plugins.py:571 - loaded plugin modules: []
2025-12-14 13:19:36,902 [DEBUG] subscription-manager:1801:MainThread @plugins.py:572 - loaded plugins: {}
2025-12-14 13:19:36,902 [DEBUG] subscription-manager:1801:MainThread @identity.py:140 - Loading consumer info from identity certificates.
2025-12-14 13:19:36,902 [DEBUG] subscription-manager:1801:MainThread @identity.py:155 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2025-12-14 13:19:36,913 [DEBUG] subscription-manager:1801:MainThread @managercli.py:505 - X-Correlation-ID: 8b9ee90ce6b74d0487a15eb92bf8ca60
2025-12-14 13:19:36,914 [DEBUG] subscription-manager:1801:MainThread @managercli.py:395 - Client Versions: {'subscription-manager': '1.28.44-1.el8_10'}
2025-12-14 13:19:36,914 [DEBUG] subscription-manager:1801:MainThread @connection.py:215 - Environment variable NO_PROXY= will be used
2025-12-14 13:19:36,914 [DEBUG] subscription-manager:1801:MainThread @connection.py:318 - Connection built: host=satellite.example.com port=443 handler=/rhsm auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2025-12-14 13:19:36,914 [DEBUG] subscription-manager:1801:MainThread @connection.py:215 - Environment variable NO_PROXY= will be used
2025-12-14 13:19:36,915 [DEBUG] subscription-manager:1801:MainThread @connection.py:318 - Connection built: host=satellite.example.com port=443 handler=/rhsm auth=none
2025-12-14 13:19:36,915 [DEBUG] subscription-manager:1801:MainThread @managercli.py:395 - Client Versions: {'subscription-manager': '1.28.44-1.el8_10'}
2025-12-14 13:19:36,915 [DEBUG] subscription-manager:1801:MainThread @managercli.py:371 - Consumer Identity name=None uuid=None
2025-12-14 13:19:36,916 [DEBUG] subscription-manager:1801:MainThread @managercli.py:371 - Consumer Identity name=None uuid=None
2025-12-14 13:19:36,916 [DEBUG] subscription-manager:1801:MainThread @connection.py:215 - Environment variable NO_PROXY= will be used
2025-12-14 13:19:36,917 [DEBUG] subscription-manager:1801:MainThread @connection.py:318 - Connection built: host=satellite.example.com port=443 handler=/rhsm auth=none
2025-12-14 13:19:36,917 [DEBUG] subscription-manager:1801:MainThread @connection.py:215 - Environment variable NO_PROXY= will be used
2025-12-14 13:19:36,917 [DEBUG] subscription-manager:1801:MainThread @connection.py:318 - Connection built: host=satellite.example.com port=443 handler=/rhsm auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2025-12-14 13:19:36,917 [DEBUG] subscription-manager:1801:MainThread @connection.py:803 - Making request: GET /rhsm/
2025-12-14 13:19:36,919 [DEBUG] subscription-manager:1801:MainThread @connection.py:629 - Loaded CA certificates from /etc/rhsm/ca/: redhat-entitlement-authority.pem, redhat-uep.pem
2025-12-14 13:19:36,925 [ERROR] subscription-manager:1801:MainThread @managercli.py:230 - Error during registration: Error loading certificate: [Errno 2] No such file or directory: '/etc/pki/consumer/cert.pem'
2025-12-14 13:19:36,926 [ERROR] subscription-manager:1801:MainThread @managercli.py:231 - Error loading certificate: [Errno 2] No such file or directory: '/etc/pki/consumer/cert.pem'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 822, in _request
    conn.request(request_type, handler, body=body, headers=final_headers)
  File "/usr/lib64/python3.6/http/client.py", line 1273, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.6/http/client.py", line 982, in send
    self.connect()
  File "/usr/lib64/python3.6/http/client.py", line 1441, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib64/python3.6/ssl.py", line 810, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1070, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/rhsm/certificate2.py", line 99, in create_from_file
    pem = open(path, 'r').read()
FileNotFoundError: [Errno 2] No such file or directory: '/etc/pki/consumer/cert.pem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/managercli.py", line 2031, in _do_command
    environment_ids = self._process_environments(admin_cp, owner_key)
  File "/usr/lib64/python3.6/site-packages/subscription_manager/managercli.py", line 2129, in _process_environments
    supported_resources = get_supported_resources()
  File "/usr/lib64/python3.6/site-packages/subscription_manager/utils.py", line 222, in get_supported_resources
    return uep.get_supported_resources()
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 1106, in get_supported_resources
    self._load_supported_resources()
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 1094, in _load_supported_resources
    resources_list = self.conn.request_get("/")
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 1013, in request_get
    return self._request("GET", method, headers=headers, cert_key_pairs=cert_key_pairs)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 1046, in _request
    info=info, headers=headers, cert_key_pairs=cert_key_pairs)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 841, in _request
    id_cert = certificate.create_from_file(self.cert_file)
  File "/usr/lib64/python3.6/site-packages/rhsm/certificate.py", line 56, in create_from_file
    return _CertFactory().create_from_file(path)
  File "/usr/lib64/python3.6/site-packages/rhsm/certificate2.py", line 101, in create_from_file
    raise CertificateException("Error loading certificate: %s" % err)
rhsm.certificate.CertificateException: Error loading certificate: [Errno 2] No such file or directory: '/etc/pki/consumer/cert.pem'

What is the impact of this issue to you?

Harder for end users to understand why their registration failed.

Please provide the package NVR for which the bug is seen:

subscription-manager-1.29.47.1-1.el9_7.x86_64
subscription-manager-1.28.44-1.el8_10.x86_64

How reproducible is this bug?:

always

Steps to reproduce

Have a host configured to be able to register to a Satellite server
Move the /etc/rhsm/ca/katello*pem files to the /var/tmp/ directory
Try to manually register a system with the --activationkey flag:

subscription-manager register --activationkey <AK> --org <ORG>

Expected results

Error should indicate the CA certificate is missing, or the certificates isn't trusted by the CA that is present

Actual results

Error message is about a missing cert.pem file.

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Easy Agile Planning Poker

Activity

People

Dates