Bug 1419576

Summary: [RFE] Set certificate start time to one hour before current time instead of current time.
Product: [Community] Candlepin Reporter: Stephen Benjamin <stbenjam>
Component: candlepinAssignee: William Poteat <wpoteat>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: high    
Version: 2.0CC: bcourt, chrobert, csnyder, jsherril, redakkan, skallesh, stbenjam, vrjain, wpoteat
Target Milestone: ---Keywords: Triaged
Target Release: 2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: candlepin-2.0.30-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-22 18:12:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1214240    

Description Stephen Benjamin 2017-02-06 14:44:23 UTC 
For Satellite, we issue all certificates from a Candlepin instance running on the main server, however we end up verifying the certificates on the capsule through an RHSM proxy.

When using subscription-manager to register a host, and if the Satellite and Capsule do not have *exact* time synchronization, then the subscription-manager register request succeeds, the client gets issued a certificate, and then it tries almost immediately to make a second connection using it's new client certificate and fails.

Because of how the capsule is setup, we do the verification on the certificate there - and if the capsule's time is slightly behind the satellite, then the capsule thinks the certificate isn't valid yet, i.e. it's issued for a future time.  This happens even with a couple of seconds difference.

Would it be possible to issue these certificates at the start of the day?
Comment 1 Chris Snyder 2017-02-06 15:35:22 UTC 
Would issuing the certificates 1 hour before the current time be sufficient to accommodate capsule time skew? Starting on the beginning of the day every day would result in this issue occurring again once a day.
Comment 2 Stephen Benjamin 2017-02-06 15:38:10 UTC 
They'd have to run subscription-manager within a few seconds of 00:00 to cause the problem, but I guess that could still be an issue.  An hour before would work perfectly. If you'd rather not hard code something maybe we could have Katello send the start time for the cert in the API call.
Comment 4 Kevin Howell 2017-02-20 15:04:30 UTC 
*** Bug 1423768 has been marked as a duplicate of this bug. ***
Comment 6 Barnaby Court 2017-02-23 15:22:25 UTC 
For temporary guest subscriptions the entitlement cert would start 1 hour before registration time instead of at the registration time. The end time remains unchanged.
Comment 7 William Poteat 2017-03-10 18:36:22 UTC 
Pending change https://github.com/candlepin/candlepin/pull/1493
Comment 8 William Poteat 2017-03-27 19:07:16 UTC 
Master commit 9302c8f57f37dd5ec3c4020770ac1675a87d99ba
Comment 9 Nikos Moumoulidis 2021-03-18 11:24:50 UTC 
*** Bug 1187662 has been marked as a duplicate of this bug. ***