Bug 2043600

Summary: consumer certificate is generated with validity after 19th Jan 2038 which is causing 2038 bug on 32bit systems
Product: Red Hat Satellite Reporter: Jan Jansky <jjansky>
Component: CandlepinAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Vladimír Sedmík <vsedmik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.10.2CC: juwatts, pcreech, redakkan
Target Milestone: 6.13.0Keywords: Triaged
Target Release: Unused   
Hardware: i686   
OS: All   
Whiteboard:
Fixed In Version: candlepin-4.2.0-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2045066 (view as bug list) Environment:
Last Closed: 2023-05-03 13:21:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2045066    
Bug Blocks:    

Description Jan Jansky 2022-01-21 15:39:17 UTC 
Description of problem:
When registering 32 bit system to Satellite consumer certificate will get created with validity after 19th Jan 2038 which is causing 2038 bug (https://access.redhat.com/articles/2596)


Version-Release number of selected component (if applicable):
Found on cu Satellite 6.8, but same tested on Satellite 6.10.1


How reproducible:
Always


Steps to Reproduce:
on 32 bit system
1. rpm -Uvh http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
2. subscription-manager register

Actual results:
2022-01-20 07:54:07,260 [ERROR] subscription-manager:6126:MainThread @managercli.py:181 - Error during registration: tim
estamp out of range for platform time_t
2022-01-20 07:54:07,261 [ERROR] subscription-manager:6126:MainThread @managercli.py:182 - timestamp out of range for pla
tform time_t
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/subscription_manager/managercli.py", line 1113, in _do_command
    type=self.options.consumertype
  File "/usr/lib/python2.6/site-packages/rhsmlib/services/register.py", line 84, in register
    managerlib.persist_consumer_cert(consumer)
  File "/usr/lib/python2.6/site-packages/subscription_manager/managerlib.py", line 69, in persist_consumer_cert
    consumer = identity.ConsumerIdentity(consumerinfo['idCert']['key'], consumerinfo['idCert']['cert'])
  File "/usr/lib/python2.6/site-packages/subscription_manager/identity.py", line 80, in __init__
    self.x509 = create_from_pem(certstring)
  File "/usr/lib/python2.6/site-packages/rhsm/certificate.py", line 61, in create_from_pem
    return _CertFactory().create_from_pem(pem)
  File "/usr/lib/python2.6/site-packages/rhsm/certificate2.py", line 82, in create_from_pem
    return self._read_x509(_certificate.load(pem=pem), path, pem)
  File "/usr/lib/python2.6/site-packages/rhsm/certificate2.py", line 113, in _read_x509
    raise CertificateException(str(e))
CertificateException: timestamp out of range for platform time_t

Expected results:
Successful registration

Additional info:
Comment 2 Barnaby Court 2022-01-21 15:49:00 UTC 
Hi, The simplest workaround would be to change the candlepin configuration to only create certificates with a 5 year lifespan. That would extend this to 2033 before customer run into the issue. At that point all systems affected by this should be well out of service. This can be done by setting the candlepin config variable of candlepin.identityCert.yr.addendum=5 in the /etc/candlepin/candlepin.conf
Comment 3 Jan Jansky 2022-01-21 16:14:05 UTC 
Workaround tested on Satellite 6.10.1 without issues on 64bit system, but validity correct as below.


# date
Pá led 21 16:12:35 UTC 2022
# subscription-manager register
# openssl x509 -in /etc/pki/consumer/cert.pem -noout -text | grep "Not After"
            Not After : Jan 21 16:12:47 2027 GMT
Comment 8 Vladimír Sedmík 2023-02-28 10:16:20 UTC 
Verified in 6.13.0 snap 12 (candlepin-4.2.13-1.el8sat.noarch)

Newly registered or re-registered hosts are provided with a 5-year lifespan certificate:
[root@host ~]# openssl x509 -in /etc/pki/consumer/cert.pem -noout -text | grep "Not"
            Not Before: Feb 28 08:35:39 2023 GMT
            Not After : Feb 28 09:35:39 2028 GMT
Comment 11 errata-xmlrpc 2023-05-03 13:21:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2097