Bug 1789654 (sat6-y2k20)
Summary: | Custom products created after JAN-2020 can't be consumed by hosts | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | matt jia <mjia> | |
Component: | Content Management | Assignee: | Justin Sherrill <jsherril> | |
Status: | CLOSED ERRATA | QA Contact: | jcallaha | |
Severity: | urgent | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.6.0 | CC: | ajambhul, akarimi, alexandre.chanu, amasolov, arahaman, baptiste.agasse, blka.sg311.sgw, bshahu, christian.klier, daobrien, dcarmich, dchaudha, dhjoshi, dsynk, gpadholi, gspurgeon, hajek, hyu, jfrancoa, jkrajice, jsherril, kagarwal, kechoi, kkinge, ktordeur, kupadhya, ldelouw, linuxteam, mario.teetzen, mkalyat, mkeir, mmccune, momran, mortsa, mschibli, pcreech, pdwyer, rajukuma, ramesh.daryani, rcavalca, riemer, sadas, saydas, sbognann, smajumda, susalvi, swachira, swadeley, vdeshpan, vmeghana, vvasilev, will_darton, yann.lopez, zhunting | |
Target Milestone: | 6.7.0 | Keywords: | Triaged | |
Target Release: | Unused | Flags: | jfrancoa:
needinfo?
(vdeshpan) |
|
Hardware: | All | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | tfm-rubygem-katello-3.14.0.4-1 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1789886 1789887 1789888 (view as bug list) | Environment: | ||
Last Closed: | 2020-04-14 13:28:29 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
matt jia
2020-01-10 02:03:00 UTC
According to RFC 5280 for x.509 PKI certificates: CAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime. Conforming applications MUST be able to process validity dates that are encoded in either UTCTime or GeneralizedTime. The validity period for a certificate is the period of time from notBefore through notAfter, inclusive. Seems like subscription-manager (python-rhsm) might use only UTCTime so it can't consume certificates with expiration dates later than 2050. Since new custom products in Satellite get certificates with +30 years validity, all custom products created in 2020 might be not accessible by clients. The workaround would be publishing repository content over HTTP and consuming directly or changing expiration date in the db, running Katello reimport and subscription-manager refresh on the clients. Upstream bug assigned to jsherril Upstream bug assigned to jsherril We are working on a fix for this BZ that will land in 6.4, 6.5 and 6.6 Verified in Satellite 6.7 Snap 9 After creating a custom product/repo, the host was able to successfully consume the subscription and all repository details are in place. [root@prehost ~]# cat /etc/yum.repos.d/redhat.repo # # Certificate-Based Repositories # Managed by (rhsm) subscription-manager # # *** This file is auto-generated. Changes made here will be over-written. *** # *** Use "subscription-manager repo-override --help" if you wish to make changes. *** # # If this file is empty and this system is subscribed consider # a "yum repolist" to refresh available repos # [Default_Organization_custom_test] metadata_expire = 1 sslclientcert = /etc/pki/entitlement/4734746291144165060.pem baseurl = https://my.sat.host/pulp/repos/Default_Organization/Library/custom/custom/test sslverify = 1 name = test sslclientkey = /etc/pki/entitlement/4734746291144165060-key.pem enabled = 1 sslcacert = /etc/rhsm/ca/katello-server-ca.pem gpgcheck = 1 Hello, I have a customer, he is on Satellite 6.6.2 and seems that he has applied the patch 6.6: https://bugzilla.redhat.com/show_bug.cgi?id=1789888 but yet he is facing the same issue. Is there anyone else facing it even after applying the patch? Also, when he created a custom product with end date 2049/12/01 00:00:00, so the script does not help in this case. Can someone look into this? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454 |