Stuck in RHSM Download Plugin Quicksand

Usage and Config Patch
1

So before I begin I should ask the following question to make sure I don’t keep wasting a lot of time:

Are there any Red Hat subscriptions that can NOT be used with the RHSN download plugin? For example: I have one called “Red Hat Enterprise Linux Developer Suite” which essentially just allows me to register about 100 virtual systems during the course of my testing and so on.

The reason I ask that question is because in the course of the last 8 hours or so I have read countless forum articles and posts whose screenshots don’t look like what I see in my subscription manager Portal on Redhat.

I’ve tried:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Using%20the%20Red%20Hat%20Subscription%20Management%20(RHSM)%20download%20plug-in

But when I get down to the part where I have to download the “identity certificate” I don’t see any such option on any of my Red Hat Subscription Portal pages.

And just like that I’ve tried several other guides to setting this up. I can only assume that I’m missing some key section of information because I refuse to believe that patching Red Hat on BigFix went from (literally) a two-step process using the old RHN to a 32-page booklet where you have to generate and import your own CA certificates.

I realize that RedHat was the one that changed the way they work, but I still think I’m missing something.

The one constant is that no matter what I do, in the RHSMPlugin.log, I always get the line:
DEBUG: key and cert for requested repo not found.

Below is a snippet from the latest log:

2017-02-06 23:42:38 : DEBUG : Key and cert for requested repo not found.
2017-02-06 23:42:38 : DEBUG : Handling download exception
Traceback (most recent call last):
File “util.py”, line 19, in retry_with_new_input
File “rhel\rheldownloader.py”, line 85, in download_with_key_cert
ValueError: SSL key is None
2017-02-06 23:42:38 : DEBUG : Key ‘None’, cert 'None’
2017-02-06 23:42:38 : INFO : Download failed. Will retry.
2017-02-06 23:42:38 : DEBUG : Getting URL for aHR0cHM6Ly9jZG4ucmVkaGF0LmNvbS9jb250ZW50L2Rpc3QvcmhlbC9jbGllbnQvNy83Q2xpZW50L3g4Nl82NC9vcmFjbGUtamF2YS9vcy8=, repodata/repomd.xml.
2017-02-06 23:42:38 : DEBUG : repo base: https://cdn.redhat.com/content/dist/rhel/client/7/7Client/x86_64/oracle-java/os/
2017-02-06 23:42:38 : DEBUG : Looking for certs in C:\Program Files (x86)\BigFix Enterprise\BES Server\DownloadPlugins\RHSMProtocol\certs
2017-02-06 23:42:38 : DEBUG : Found key C:\Program Files (x86)\BigFix Enterprise\BES Server\DownloadPlugins\RHSMProtocol\certs\cert_set_2\7136022195266283712-key.pem
2017-02-06 23:42:38 : DEBUG : Found cert C:\Program Files (x86)\BigFix Enterprise\BES Server\DownloadPlugins\RHSMProtocol\certs\cert_set_2\7136022195266283712.pem
2017-02-06 23:42:38 : DEBUG : Trying key: C:\Program Files (x86)\BigFix Enterprise\BES Server\DownloadPlugins\RHSMProtocol\certs\cert_set_2\7136022195266283712-key.pem, cert: C:\Program Files (x86)\BigFix Enterprise\BES Server\DownloadPlugins\RHSMProtocol\certs\cert_set_2\7136022195266283712.pem
2017-02-06 23:42:38 : DEBUG : Getting url https://cdn.redhat.com/content/dist/rhel/client/7/7Client/x86_64/oracle-java/os/repodata/repomd.xml.
2017-02-06 23:42:38 : DEBUG : Setting up SSL with cert ‘C:\Program Files (x86)\BigFix Enterprise\BES Server\DownloadPlugins\RHSMProtocol\certs\cert_set_2\7136022195266283712.pem’, key ‘C:\Program Files (x86)\BigFix Enterprise\BES Server\DownloadPlugins\RHSMProtocol\certs\cert_set_2\7136022195266283712-key.pem’.
2017-02-06 23:42:38 : DEBUG : Creating SSL context.
2017-02-06 23:42:38 : WARNING : Download failed with an exception for URL https://cdn.redhat.com/content/dist/rhel/client/7/7Client/x86_64/oracle-java/os/repodata/repomd.xml.
2017-02-06 23:42:38 : DEBUG : Exception

I’m open to suggestions at this point.

2

1. “But when I get down to the part where I have to download the “identity certificate” I don’t see any such option on any of my Red Hat Subscription Portal pages.”

This is likely due to not having the correct Red Hat user rights to download the identity certificate. We’re looking further into this and will get back to you.

2. Are there any Red Hat subscriptions that can NOT be used with the RHSN download plugin?
The only subscription that has caused issue so far is the “Red Hat Enterprise Linux for Virtual Datacenters”.

As for the subscription you should use, it will depend on the list of products under that subscription. The product associated with each subscription varies with each user.

The best way we’ve found to check what products a subscription covers is to do the following steps:

  1. Attach a subscription to a “system”.
  2. Click View on the Entitllement certificate column in the Attached subscription tab. For more information, see https://access.redhat.com/management/consumers?type=system).
  3. In the Product tab, you should see the following line and a list of products.
    For example:

The following products are included in this subscription :
Red Hat Enterprise Linux Server

You’ll need either one or all of these products on the attached subscription depending
on the endpoints that you want to patch:

  • Red Hat Enterprise Linux Server
  • Red Hat Enterprise Linux Desktop
  • Red Hat Enterprise Linux Workstation

You can unattach the subscriptions that don’t have any of these products.

Once the correct subscription with the required products are attached, you can proceed to download the entitlement certificates and system identity certificates.

3. Error in the RHSMPlugin.log.
Can you try the Check#7 in the troubleshooting checklist from the wiki. We’re also looking into solutions to avoid log entries which are not useful/necessary.

CHECK 7: ERROR messages in RHSMPlugin.log

RHSMPlugin.log can be found here:
<BES_Server>\Do​wnloadPlugins\R​HSMProtocol\log​s

In the logs you may find an error like this:

ERROR : All Key and Cert pairs in ‘rootCertDir’ cannot access:
https://cdn.red​hat.com/content​/dist/rhel/clie​nt/7/7Client/x8​6_64/os/repodat​a/repomd.xml

This error message means that RHSMplugin was not able to access RedHat’s
Client 7 Repo (“rhel/client/7​/7Client/x86_64​/os”).

First, confirm if you need to deploy patches to RHEL Client 7 machines:
(a) If you don’t need to deploy patches to any such endpoints, you may safely ignore this message. This leads to the question: Why does the Plugin try to access a Repo it does not need
for patch deployment?

Explanation: This happens when the same package is found in multiple Repos. This will prompt the plug-in to access all the Repos that the package is located in. When the plug-in tries to access a Repo it does not have access to (due to a lack of entitlement of the Entitlement Certificate) it will the log such an error.

As long as the plugiin is able to access any one of the repositories that contain the package, it will have the package and patch deployment will succeed. Therefore, such errors can be safely ignored.

More technical explanation: This is due to the client script nohash limitation:
(http://www.ibm​.com/support/kn​owledgecenter/S​S2TKN_9.5.0/com​.ibm.bigfix.doc​/Platform/Actio​n/c_add_nohash_​prefetch_item.h​tml)
It is something that the RHSMPlugin cannot avoid.

(b) If the error message is associated with a repository (“server/7/7Ser​ver/x86_64/os”) that you need for your patch deployment.
For example, if you have a RHEL 7 Server endpoint that requires patching and you encounter this error:

ERROR : All Key and Cert pairs in ‘rootCertDir’ cannot access:
https://cdn.red​hat.com/content​/dist/rhel/serv​er/7/7Server/x8​6_64/os/repodat​a/repomd.xml

This could be due to a few reasons:
(a) The Certificates have expired or were revoked.
(b) Required subscriptions were not properly attached when Registering the System through RedHat.
© Network / Proxy is blocking the RHSMPlugin.exe from accessing the Repos.

Solution:
(a) Refer to CHECK 5: Entitlement Certificates and System Identity Certificate are not expired
(b) Refer to CHECK 4: Entitlement Certificates have the correct Subscriptions (Entitlements) attached
© Network / Proxy issues are harder to diagnose. You will need to confirm that your network firewall or proxy isn’t blocking the RHSMPlugin.exe. Failing that, you will need to open a Support issue.

As regards the shift from username/password , we understand where you’re coming from. It is a common pain point for many users. We are considering updates that might automate this. You might want to open an RFE to make a case for higher development priority.

Hope this helps get you out of the quicksand. Let us know how it goes and if you need more help.

1 Like
3

Hi again, mxc0bbn.

Regarding the part about not being able to see the option to download the identity certificate, here’s a Red Hat doc link about user access permissions:
https://access.redhat.com/documentation/en-US/Red_Hat_Customer_Portal/1/html-single/Managing_RHN_User_Access/index.html#sect-Managing_RHN_User_Access-Changing_Settings.

4

== RESOLVED ==

So it turns out that the new Red Hat User Portal Interface does not have the link to download the identity certificate.

When I recently logged into my Red Hat Customer Portal I noticed they have a blue “Try the new Subscription Interface” button at the top right of the page. I figured I’d better start using it to become familiar with it before they sunset the old interface. As it turns out the new interface does not have the link to download the identity certificates.

Today I was working with a customer and decided to ask him how he downloaded his id cert. As he walked me through the process in the old interface I remembered I was using the new one. I reverted to the old interface and found the download link for the id cert.

Lastly, as you correctly pointed out the log entries indicating that the Cert/Key pairs were not able to access a specific repo was irrelevant as I was not downloading anything from that depo. It just seemed weird that I was getting that error at the same time that I could not add the appropriate certificates to the cert store.

So, in conclusion, problem resolved.

Thank you for your guidance.

M.