Bug 1007662
| Summary: | Please modify rhua.py code for extending user-ca-cert.crt's expired date. | ||
|---|---|---|---|
| Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Yoshinori Takahashi <hkim> |
| Component: | RHUA | Assignee: | dgao |
| Status: | CLOSED ERRATA | QA Contact: | Ina Panova <ipanova> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.1.2 | CC: | cbillett, dgao, ipanova, jmatthew, melewis, mfuruta, risantam, tsanders |
| Target Milestone: | --- | ||
| Target Release: | 2.1.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
This update extends the duration of the RHUI generated certificate /etc/pki/rhua/user-ca-cert.crt that was configured to expire after one year. This meant that a customer would need to regenerate the certificate one year after the date of installation. The life of the certificate has been extended to twenty years so that the customer will not need to regenerate the certificate every year.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-17 20:10:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I changed below source like below and then run "rhui-installer myanswer".
Before:
/usr/lib/python2.6/site-packages/rhui/rpm/rhua.py
# Create certificate
cmd = 'openssl req -new -x509 -subj "/CN=RHUI User PKI" -days 365 -key %s -out %s' % (private_key_filename, cert_filename)
LOG.info('Creating user PKI certificate [%s]' % cmd)
p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
p.wait()
After:
/usr/lib/python2.6/site-packages/rhui/rpm/rhua.py
# Create certificate
cmd = 'openssl req -new -x509 -subj "/CN=RHUI User PKI" -days 3650 -key %s -out %s' % (private_key_filename, cert_filename)
LOG.info('Creating user PKI certificate [%s]' % cmd)
p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
p.wait()
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e4:1c:dc:52:26:b4:62:07
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=RHUI User PKI
Validity
Not Before: Sep 13 13:35:40 2013 GMT
Not After : Sep 11 13:35:40 2023 GMT
Subject: CN=RHUI User PKI
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Hello, I understand the issue you have filed a BZ on, we should extend the life of the 'user-ca-cert.crt'. Makes sense and we'll bump it up. commit to cloude repo: 5800bddaedf19dfcd43e73a53ca85053c3773c91
[root@test_ec2 tmp$ openssl x509 -in etc/pki/rhua/user-ca-cert.crt -text | less
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
da:76:80:bb:24:41:4e:fb
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=RHUI User PKI
Validity
Not Before: Sep 30 19:40:50 2013 GMT
Not After : Sep 28 19:40:50 2023 GMT
Looks like cert life was extended to 20 years.
commit cloude repo 789bb966f31ad48bd9e440c113598a6bc452e839
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
eb:e5:f0:f7:9f:1b:4a:ca
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=RHUI User PKI
Validity
Not Before: Nov 6 09:32:59 2013 GMT
Not After : Nov 1 09:32:59 2033 GMT
tested in
pulp-0.0.263-40.el6_5.noarch
rh-rhui-tools-2.1.28-1.el6_5.noarch
rh-rhui-tools-debug-script-2.1.28-1.el6_5.noarch
Move to Verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1854.html |
Description of problem: # openssl x509 -text -in /etc/pki/rhua/user-ca-cert.crt Certificate: Data: Version: 3 (0x2) Serial Number: b1:c4:bb:39:ec:39:2c:d1 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=RHUI User PKI Validity Not Before: Aug 26 11:00:21 2013 GMT Not After : Aug 26 11:00:21 2014 GMT Subject: CN=RHUI User PKI Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: https://access.redhat.com/site/documentation/en-US/Red_Hat_Update_Infrastructure/2.1/html-single/Administration_Guide/index.html#chap-Administration_Guide-Repositories The following certificates generated by nss-db-gen have an expiration date: /etc/pki/rhua/qpid-ca.crt /etc/pki/rhua/qpid-client.crt /etc/pki/rhua/user-ca-cert.crt Actually upper explanation is not correct but when the user modify VALID para meter and then rebuild rpm packages but user-ca-cert.crt's expiration date is only 365 days. After this days, pulp web server's certificate is not working then has to modify below source code. /usr/lib/python2.6/site-packages/rhui/rpm/rhua.py # Create certificate cmd = 'openssl req -new -x509 -subj "/CN=RHUI User PKI" -days 365 -key %s -out %s' % (private_key_filename, cert_filename) LOG.info('Creating user PKI certificate [%s]' % cmd) p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.wait() Package name is "rh-rhui-tools-2.1.19-1.el6_4.noarch". Expected results: Please modify rhua.py source code for least 4 or 5 years or add this thing to administrator doc. Additional info: