Bug 1789654 (sat6-y2k20)

Summary: Custom products created after JAN-2020 can't be consumed by hosts
Product: Red Hat Satellite Reporter: matt jia <mjia>
Component: Content ManagementAssignee: Justin Sherrill <jsherril>
Status: CLOSED ERRATA QA Contact: jcallaha
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.6.0CC: ajambhul, akarimi, alexandre.chanu, amasolov, arahaman, baptiste.agasse, blka.sg311.sgw, bshahu, christian.klier, daobrien, dcarmich, dchaudha, dhjoshi, dsynk, gpadholi, gspurgeon, hajek, hyu, jfrancoa, jkrajice, jsherril, kagarwal, kechoi, kkinge, ktordeur, kupadhya, ldelouw, linuxteam, mario.teetzen, mkalyat, mkeir, mmccune, momran, mortsa, mschibli, pcreech, pdwyer, rajukuma, ramesh.daryani, rcavalca, riemer, sadas, saydas, sbognann, smajumda, susalvi, swachira, swadeley, vdeshpan, vmeghana, vvasilev, will_darton, yann.lopez, zhunting
Target Milestone: 6.7.0Keywords: Triaged
Target Release: UnusedFlags: jfrancoa: needinfo? (vdeshpan)
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: tfm-rubygem-katello-3.14.0.4-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1789886 1789887 1789888 (view as bug list) Environment:
Last Closed: 2020-04-14 13:28:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description matt jia 2020-01-10 02:03:00 UTC
Description of problem:

When adding a new custom product into Satellite, it is not available to the content hosts.

Version-Release number of selected component (if applicable):

Easy


How reproducible:

Steps to Reproduce:
1. Create a new custom product
2. Attach its subscription to a content host
2. Login to the host and run:

subscription-refresh
subscription-manager list --consumed

Actual results:

The subscription of the custom product is not consumed by the host


Expected results:

The subscription of the custom product should be consumed by the host


Additional info:

The issue is caused by the expiry date of the subscription. It is set as 2050-01-02 11:40:40 +1000. According to this code

https://github.com/candlepin/candlepin/blob/5b87865f304555c112982af4fbc83a1c463d37b2/server/src/main/java/org/candlepin/model/UeberCertificateGenerator.java#L263

No certificate is issued thus none of the hosts can consume that subscription.

Comment 4 Alexey Masolov 2020-01-10 02:41:00 UTC
According to RFC 5280 for x.509 PKI certificates: 

   CAs conforming to this profile MUST always encode certificate
   validity dates through the year 2049 as UTCTime; certificate validity
   dates in 2050 or later MUST be encoded as GeneralizedTime.
   Conforming applications MUST be able to process validity dates that
   are encoded in either UTCTime or GeneralizedTime.

   The validity period for a certificate is the period of time from
   notBefore through notAfter, inclusive.

Seems like subscription-manager (python-rhsm) might use only UTCTime so it can't consume certificates with expiration dates later than 2050. Since new custom products in Satellite get certificates with +30 years validity, all custom products created in 2020 might be not accessible by clients. 

The workaround would be publishing repository content over HTTP and consuming directly or changing expiration date in the db, running Katello reimport and subscription-manager refresh on the clients.

Comment 10 Bryan Kearney 2020-01-10 15:04:37 UTC
Upstream bug assigned to jsherril

Comment 11 Bryan Kearney 2020-01-10 15:04:39 UTC
Upstream bug assigned to jsherril

Comment 14 Mike McCune 2020-01-10 21:00:13 UTC
We are working on a fix for this BZ that will land in 6.4, 6.5 and 6.6

Comment 16 jcallaha 2020-01-24 21:46:43 UTC
Verified in Satellite 6.7 Snap 9

After creating a custom product/repo, the host was able to successfully consume the subscription and all repository details are in place.

[root@prehost ~]# cat /etc/yum.repos.d/redhat.repo
#
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
#
# *** This file is auto-generated.  Changes made here will be over-written. ***
# *** Use "subscription-manager repo-override --help" if you wish to make changes. ***
#
# If this file is empty and this system is subscribed consider 
# a "yum repolist" to refresh available repos
#

[Default_Organization_custom_test]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/4734746291144165060.pem
baseurl = https://my.sat.host/pulp/repos/Default_Organization/Library/custom/custom/test
sslverify = 1
name = test
sslclientkey = /etc/pki/entitlement/4734746291144165060-key.pem
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

Comment 23 Vedashree Deshpande 2020-03-03 17:18:37 UTC
Hello, 

I have a customer, he is on Satellite 6.6.2 and seems that he has applied the patch 6.6: https://bugzilla.redhat.com/show_bug.cgi?id=1789888
but yet he is facing the same issue. 

Is there anyone else facing it even after applying the patch? Also, when he created a custom product with end date 2049/12/01 00:00:00, so the script does not help in this case. 

Can someone look into this?

Comment 30 errata-xmlrpc 2020-04-14 13:28:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454