Issue

Description of problem: Keycloak/Token auth is in subscription-manager, but does not work due to certificate verification errors. Version-Release number of selected component (if applicable): subscription-manager-1.29.29-1.el9.x86_64 How reproducible: 100% Steps to Reproduce: 1. `subscription-manager register --token ${token} (need a proper formatted token, or other failures occur) 2. 3. Actual results: [root@crag cdonnell]# subscription-manager register --token= {xxxxxxx} Making request: subscription.rhsm.redhat.com:443 GET /subscription/status {'Content-type': 'application/json', 'Accept': 'application/json', 'x-subscription-manager-version': '1.29.21-2.fc36', 'X-Correlation-ID': '767f3eca29ea4cffa42ac68e2d837f1c', 'Accept-Language': 'en-us', 'User-Agent': 'RHSM/1.0 (cmd=subscription-manager) subscription-manager/1.29.21-2.fc36', 'Content-Length': '0'} 200 {'Server': 'openresty', 'Date': 'Fri, 05 Aug 2022 15:42:33 GMT', 'Content-Type': 'application/json', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=30', 'x-candlepin-request-uuid': '6f584d48-e6cf-4027-9c6b-e8f130d4c6ac', 'x-version': '4.0.18-3'} {"mode":"NORMAL","modeReason":null,"modeChangeTime":null,"result":true,"version":"4.0.18","rulesVersion":"5.41","release":"3","standalone":false,"timeUTC":"2022-08-05T15:42:33+0000","rulesSource":"default","keycloakRealm":"redhat-external","keycloakAuthUrl":"https://sso.redhat.com/auth","keycloakResource":"cloud-services","managerCapabilities":["keycloak_auth","cloud_registration","instance_multiplier","derived_product","vcpu","cert_v3","hypervisors_heartbeat","remove_by_pool_id","syspurpose","storage_band","cores","ssl_verify_status","hypervisors_async","org_level_content_access","guest_limit","ram","batch_bind","combined_reporting"]} Making request: subscription.rhsm.redhat.com:443 GET /subscription/status {'Content-type': 'application/json', 'Accept': 'application/json', 'x-subscription-manager-version': '1.29.21-2.fc36', 'X-Correlation-ID': '767f3eca29ea4cffa42ac68e2d837f1c', 'Accept-Language': 'en-us', 'User-Agent': 'RHSM/1.0 (cmd=subscription-manager) subscription-manager/1.29.21-2.fc36', 'Content-Length': '0'} 200 {'Server': 'openresty', 'Date': 'Fri, 05 Aug 2022 15:42:33 GMT', 'Content-Type': 'application/json', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=30', 'x-candlepin-request-uuid': 'f5d39941-c121-4357-bd30-77a42b824f9a', 'x-version': '4.0.18-3'} {"mode":"NORMAL","modeReason":null,"modeChangeTime":null,"result":true,"version":"4.0.18","rulesVersion":"5.41","release":"3","standalone":false,"timeUTC":"2022-08-05T15:42:33+0000","rulesSource":"default","keycloakRealm":"redhat-external","keycloakAuthUrl":"https://sso.redhat.com/auth","keycloakResource":"cloud-services","managerCapabilities":["keycloak_auth","cloud_registration","instance_multiplier","derived_product","vcpu","cert_v3","hypervisors_heartbeat","remove_by_pool_id","syspurpose","storage_band","cores","ssl_verify_status","hypervisors_async","org_level_content_access","guest_limit","ram","batch_bind","combined_reporting"]} Making request: sso.redhat.com:443 POST /auth/realms/redhat-external/protocol/openid-connect/token {'Content-type': 'application/x-www-form-urlencoded', 'Accept': 'application/json', 'x-subscription-manager-version': '1.29.21-2.fc36', 'Accept-Language': 'en-us', 'User-Agent': 'python-rhsm-user-agent'} b'client_id=cloud-services&grant_type=refresh_token&refresh_token={xxxxxxx} ' Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997) Expected results: No certificate verification failures to sso.redhat.com. Additional info: Issue can be worked around one of two ways: 1. Run subscription-manager with --insecure / insecure = 1 in rhsm.conf 2. Link system ca-trust to /etc/rhsm/ca so that subscription-manager will load certs on system other than the self-signed CP certs: [root@localhost pem]# cd /etc/rhsm/ca/ [root@localhost ca]# ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Release Notes

No. of Comments

Resolution

Obsolete