| Summary: | Failed to auto-regenarate identity cert | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | qianzhan | ||||||
| Component: | subscription-manager | Assignee: | candlepin-bugs | ||||||
| Status: | CLOSED WORKSFORME | QA Contact: | John Sefler <jsefler> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 6.8 | CC: | csnyder, qianzhan, redakkan | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2016-04-18 09:00:48 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
|
Description
qianzhan
2016-04-14 07:44:18 UTC
Attachments 'rhsm.log' and 'rhsmcertd.log' Created attachment 1147060 [details]
rhsm.log
Created attachment 1147061 [details]
rhsmcertd.log
The test procedure in comment 0 is wrong. By advancing the date of the client and candlepin server beyond the expiration of the consumer cert, you have passed the window of opportunity for a consumer cert to be automatically regenerated by the candlepin server. Once the identity cert expires, it is too late to communicate with the candlepin server. Here is the candlepin.conf configuration that governs the window of automatic identity cert generation... # number of days before the expiration date for a consumer cert to be automatically regenerated during an rhsmcertd update (default is 90 days) candlepin.identityCert.expiry.threshold = 90 Therefore, the test procedure in comment 0 should be changed to advance the clock to a few days *before* the identity certificate end date (not after) and re-tested. Yes, John I can make it by your suggestion. Still using RHEL-6.8-20160407.0 and SAM-1.4.1-RHEL-6-20141113.0: 1. Registration and checking valid date of cert.pem. [root@dhcp-129-237 ~]# subscription-manager register Registering to: samserv.redhat.com:443/sam/api Username: admin Password: The system has been registered with ID: df196400-f874-4ae8-b7d8-ff06a3e50c69 [root@dhcp-129-237 ~]# subscription-manager identity system identity: df196400-f874-4ae8-b7d8-ff06a3e50c69 name: dhcp-129-237.nay.redhat.com org name: ACME_Corporation org ID: ACME_Corporation [root@dhcp-129-237 ~]# rct cat-cert /etc/pki/consumer/cert.pem | grep Date Start Date: 2016-04-18 08:38:11+00:00 End Date: 2032-04-18 08:38:11+00:00 < ===== 2. Set proper the system dates of server and client: [root@dhcp-129-237 ~]# date -s 20320401 Thu Apr 1 00:00:00 EDT 2032 [root@samserv ~]# date -s 20320401 Thu Apr 1 00:00:00 EDT 2032 3. Restart rhsmcertd service and wait 2 minutes to check cert.pem. [root@dhcp-129-237 ~]# service rhsmcertd restart Stopping rhsmcertd... [ OK ] Starting rhsmcertd... [ OK ] [root@dhcp-129-237 ~]# sleep 120 [root@dhcp-129-237 ~]# subscription-manager identity system identity: df196400-f874-4ae8-b7d8-ff06a3e50c69 name: dhcp-129-237.nay.redhat.com org name: ACME_Corporation org ID: ACME_Corporation [root@dhcp-129-237 ~]# rct cat-cert /etc/pki/consumer/cert.pem | grep Date Start Date: 2032-04-01 04:02:20+00:00 < ===== End Date: 2048-04-01 04:02:20+00:00 So close this bug. |