Bug 2043600
Summary: | consumer certificate is generated with validity after 19th Jan 2038 which is causing 2038 bug on 32bit systems | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Jan Jansky <jjansky> | |
Component: | Candlepin | Assignee: | satellite6-bugs <satellite6-bugs> | |
Status: | CLOSED ERRATA | QA Contact: | Vladimír Sedmík <vsedmik> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.10.2 | CC: | juwatts, pcreech, redakkan | |
Target Milestone: | 6.13.0 | Keywords: | Triaged | |
Target Release: | Unused | |||
Hardware: | i686 | |||
OS: | All | |||
Whiteboard: | ||||
Fixed In Version: | candlepin-4.2.0-1 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2045066 (view as bug list) | Environment: | ||
Last Closed: | 2023-05-03 13:21:03 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 2045066 | |||
Bug Blocks: |
Description
Jan Jansky
2022-01-21 15:39:17 UTC
Hi, The simplest workaround would be to change the candlepin configuration to only create certificates with a 5 year lifespan. That would extend this to 2033 before customer run into the issue. At that point all systems affected by this should be well out of service. This can be done by setting the candlepin config variable of candlepin.identityCert.yr.addendum=5 in the /etc/candlepin/candlepin.conf Workaround tested on Satellite 6.10.1 without issues on 64bit system, but validity correct as below. # date Pá led 21 16:12:35 UTC 2022 # subscription-manager register # openssl x509 -in /etc/pki/consumer/cert.pem -noout -text | grep "Not After" Not After : Jan 21 16:12:47 2027 GMT Verified in 6.13.0 snap 12 (candlepin-4.2.13-1.el8sat.noarch) Newly registered or re-registered hosts are provided with a 5-year lifespan certificate: [root@host ~]# openssl x509 -in /etc/pki/consumer/cert.pem -noout -text | grep "Not" Not Before: Feb 28 08:35:39 2023 GMT Not After : Feb 28 09:35:39 2028 GMT Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2097 |