Using the rct tool to troubleshoot Red Hat Subscription Management issues

Updated

The introduction of Red Hat Subscription Management (RHSM) provided a new way of registering and updating Red Hat Enterprise Linux systems, offering granular control and more precise reporting. At the foundation is a series of x509 certificates that identify and entitle systems to specific repositories by connecting via a Candlepin based server.

To help troubleshoot and provide clearer access to these x509 certificates, the Candlepin team introduced a new tool, rct, to help quickly and easily review content certificates. This tool is provided with every system eligible to register with Red Hat Subscription Manager.

The rct tool offers two primary functions, or sub-commands which can quickly provide content, or statistic information for any x509 based certificate. 

[root@example /etc/pki]# rct
Usage: rct MODULE-NAME [MODULE-OPTIONS] [--help]

Primary Modules:

  cat-cert       Print certificate information
  stat-cert      Print certificate statistics and sizes

With RHSM there are 4 primary types of certificates that are involved with subscribing a machine successfully to the Red Hat Network:

  • Product Certificates

    • Specifies which products are present on a system
    • RHSM stores these certificates by default in /etc/pki/product

  • Entitlement Certificates

    • Specifies what repositories a subscribed system has access to
    • RHSM stores these certificates by default in /etc/pki/entitlement

  • Identity Certificates

    • Specifies the unique consumer identity of the register machine
    • RHSM stores these certificates by default in /etc/pki/consumer

  • The Certificate Authority (CA) directory, by default /etc/rhsm/ca

Reviewing product certificates

Upon installation from Red Hat provided media, a product key for eligible RHSM systems is installed to /etc/pki/product/:

[root@example ~]# rct cat-cert /etc/pki/product/69.pem

+-------------------------------------------+
	Product Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/product/69.pem
	Version: 1.0
	Serial: 12750047592154745686
	Start Date: 2012-01-11 17:27:57+00:00
	End Date: 2032-01-06 17:27:57+00:00

Subject:
	CN: Red Hat Product ID [fa69e078-b713-4986-829a-23d36f276d57]

Product:
	ID: 69
	Name: Red Hat Enterprise Linux Server
	Version: 6.3
	Arch: x86_64
	Tags: rhel-6,rhel-6-server

[root@example ~]# rct stat-cert /etc/pki/product/69.pem
Type: Product Certificate
Version: 1.0
DER size: 1553b

This product key identifies what product repositories a system is eligible for updating against after registration, based on the 'Tags' field.

Reviewing identity certificates

When registering a system with the command subscription-manager register, the tool generates a consumer cert file in /etc/pki/consumer:

[root@example ~]# rct cat-cert /etc/pki/consumer/cert.pem

+-------------------------------------------+
	Identity Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/consumer/cert.pem
	Version: 1.0
	Serial: 5863554315491516259
	Start Date: 2013-07-17 15:15:42+00:00
	End Date: 2014-07-17 15:15:42+00:00
	Alt Name: DirName:/CN=example.redhat.com

Subject:
	CN: 70bdf1bb-ba51-42c0-b770-dcb2b33a79b0

Reviewing subscription certificates

Once a subscription is attached, it will generate an entitlement certificate which is stored in /etc/pki/entitlement:

[root@example ~]# rct cat-cert /etc/pki/entitlement/2098764898246035669.pem

+-------------------------------------------+
	Entitlement Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/entitlement/2098764898246035669.pem
	Version: 3.2
	Serial: 2098764898246035669
	Start Date: 2013-11-04 05:00:00+00:00
	End Date: 2013-12-04 04:59:59+00:00

Subject:
	CN: 8a85f9824223d33f014225f4ed664c5e

Product:
	ID: 180
	Name: Red Hat Beta
	Version:
	Arch: x86_64,ppc64,ia64,ppc,s390,x86,s390x
	Tags:

Product:
	ID: 205
	Name: Red Hat Software Collections Beta (for RHEL Server)
	Version:
	Arch: x86_64
	Tags:

Product:
	ID: 69
	Name: Red Hat Enterprise Linux Server
	Version:
	Arch: x86_64,ia64,x86
	Tags:

Order:
	Name: 30 Day Self-Supported Red Hat Enterprise Linux Server, (2 sockets) (Up to 1 guest) Evaluation
	Number:
	SKU: RH0000000
	Contract: 000000
	Account: 123412341234
	Service Level: SELF-SUPPORT
	Service Type: L1-L3
	Quantity: 1
	Quantity Used: 1
	Socket Limit: 2
	RAM Limit:
	Virt Limit:
	Virt Only: True
	Subscription:
	Stacking ID:
	Warning Period: 0
	Provides Management: False

Content:
	Type: yum
	Name: Red Hat Enterprise Linux 6 Server (RPMs)
	Label: rhel-6-server-rpms
	Vendor: Red Hat
	URL: /content/dist/rhel/server/6/$releasever/$basearch/os
	GPG: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
	Enabled: True
	Expires: 86400
	Required Tags: rhel-6-server
...
  • The content certificate is broken into several important areas:
    • Certificate provides information on the certifcate itself such as absolute path, expiration date, and version number
    • Product information provided by this certificate, where the ID should match the filenames under /etc/pki/product
    • Order provides information about the order that provided this subscription
    • Content provides what repositories are provided by the certificate along with the relevant metadata

To quickly ascertain the number of content sets provided by a cert the stat-cert command can be used:

[root@example ~]# rct stat-cert /etc/pki/entitlement/2098764898246035669.pem
Type: Entitlement Certificate
Version: 3.2
DER size: 1739b
Subject Key ID size: 20b
Content sets: 100
Product(s)
Components
Tags
Article Type