Bug 1035370

Summary: x509watch should exclude further CA bundles from RHEL 6.5
Product: [Fedora] Fedora EPEL Reporter: Robert Scheck <redhat-bugzilla>
Component: x509watchAssignee: Robert Scheck <redhat-bugzilla>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: el6CC: kengert, redhat-bugzilla, robert.scheck
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: x509watch-0.6.0-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-09 01:58:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2013-11-27 16:01:37 UTC 
Description of problem:
Since RHEL 6.5 the x509watch cronjob notifies daily about expired root CAs
in a newly added certificate bundle (likely for the newly introduced p11-kit).
It might make sense to exclude these CA bundles - even RHEL should not ship
them as reported as per bug #1035355.

Version-Release number of selected component (if applicable):
ca-certificates-2013.1.94-65.0.el6.noarch
x509watch-0.5.0-1.el6.noarch

How reproducible:
Everytime, see above and below.

Actual results:
x509watch complains daily about expired root certificates in CA bundle which
are part of ca-certificates-2013.1.94-65.0.el6.noarch.

Expected results:
x509watch should not complain about it - either because the expired certs are
removed or x509watch ignores them additionally.

Additional info:
--- /usr/bin/x509watch       2011-06-26 18:45:28.000000000 +0200
+++ /usr/bin/x509watch.rsc   2013-11-27 16:56:24.198141306 +0100
@@ -34,7 +34,7 @@
   deflt_f => [],
   openssl => "/usr/bin/openssl",
   x509ext => ["\.(pem|crt)\$"],
-  exclude => ["\/(cert\.pem|ca-bundle\.(crt|trust\.crt|pem)|ca-certificates\.crt)\$", "\.((bak|old)\$|drbdlinks\/)", "\/(demo|expired|private)\/"],
+  exclude => ["\/(cert\.pem|((email|objsign|tls)-)?ca-bundle\.(crt|trust\.crt|pem)|ca-certificates\.crt)\$", "\.((bak|old)\$|drbdlinks\/)", "\/(demo|expired|private)\/"],
   warning => 1,
   help    => 0
 );
Comment 1 Fedora Update System 2013-11-29 08:02:28 UTC 
x509watch-0.6.0-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/x509watch-0.6.0-1.fc20
Comment 2 Fedora Update System 2013-11-29 08:03:14 UTC 
x509watch-0.6.0-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/x509watch-0.6.0-1.fc19
Comment 3 Fedora Update System 2013-11-29 08:04:05 UTC 
x509watch-0.6.0-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/x509watch-0.6.0-1.fc18
Comment 4 Fedora Update System 2013-11-29 08:04:36 UTC 
x509watch-0.6.0-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/x509watch-0.6.0-1.el6
Comment 5 Fedora Update System 2013-11-29 08:05:10 UTC 
x509watch-0.6.0-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/x509watch-0.6.0-1.el5
Comment 6 Fedora Update System 2013-11-29 16:00:40 UTC 
Package x509watch-0.6.0-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing x509watch-0.6.0-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-22373/x509watch-0.6.0-1.fc20
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-12-09 01:58:40 UTC 
x509watch-0.6.0-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-12-09 02:04:24 UTC 
x509watch-0.6.0-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-12-14 03:28:18 UTC 
x509watch-0.6.0-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-12-15 20:24:17 UTC 
x509watch-0.6.0-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-12-15 20:24:27 UTC 
x509watch-0.6.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.