Bug 79041

Summary: up2date SSL certificate fails when date is incorrect
Product: [Retired] Red Hat Linux Reporter: Adam Wiggins <adam>
Component: up2dateAssignee: Adrian Likins <alikins>
Status: CLOSED RAWHIDE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: gafton, gstone, mihai.ibanescu
Target Milestone: ---   
Target Release: ---   
Hardware: athlon   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-02-14 13:09:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Wiggins 2002-12-04 23:09:38 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021127

Description of problem:
If the date on your machine is set incorrectly (mine was set about 11 months
early - January 1, 2002 when the actual date was Dec 4, 2002) then up2date will
fail with the cryptic error message:

There was an SSL error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',
'certificate verify failed')]

Aparently the SSL certificate needs to be in a certain time window or it won't
work.  This should at the very least give the user a better idea of what the
problem is and suggest a correction (brining the system clock up to date) and
perhaps the exact time window that the certificate will allow.

I also reproduced this on 7.3, though the error message was simply "SSL_error".

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Execute command: date -s "jan 1 2002"
2. Run up2date


Actual Results:  There was an SSL error: [('SSL routines',
'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

Expected Results:  A descriptive error message or perhaps even an offer to sync
the clock to a remote system.

Additional info:
Comment 1 Adrian Likins 2002-12-11 20:48:58 UTC 
Added an error message that a common cause is time being out of
sync. Unfortunately, the error message returned from the ssl library
is very vague, so I can't really pin it down to always being a time
issue. 

Hopefully, for the next release, we can get better error codes from
the ssl layer, so we can present more granual error messages. 

In the meantime, the new message should help.
Comment 2 Adrian Likins 2002-12-11 20:49:41 UTC 
should be fixed in 3.0.32 or higher
Comment 3 Jay Turner 2003-02-14 13:09:17 UTC 
Fix confirmed with up2date-3.1.15-7.