Bug 800533
| Summary: | Need 10-year certs on AMIs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jay Greguske <jgreguske> |
| Component: | releng | Assignee: | Jay Greguske <jgreguske> |
| Status: | CLOSED NOTABUG | QA Contact: | mkovacik |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4 | CC: | atodorov, cpelland, dgregor, dmach, jslagle, syeghiay, whayutin |
| Target Milestone: | rc | Keywords: | EC2 |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 800532 | Environment: | |
| Last Closed: | 2013-01-30 16:25:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 800532 | ||
| Bug Blocks: | |||
|
Description
Jay Greguske
2012-03-06 16:40:10 UTC
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Checking ami-48bc1b21 (us-east-1), following cert dates can be obtained. The result however is neither beta (6.3) nor release (6.2??) rhui configuration rpms contain certificates valid for 10 years. See the screenlog below.
##
[root@domU-12-31-39-0F-C8-89 ~]# ls /etc/yum.repos.d/
redhat-rhui-beta.repo redhat-rhui-client-config-beta.repo redhat-rhui-client-config.repo redhat-rhui.repo rhel-source.repo rhui-load-balancers.conf
[root@domU-12-31-39-0F-C8-89 ~]# rpm -qf /etc/yum.repos.d/redhat-rhui-client-config-beta.repo
rh-amazon-rhui-client-beta-2.2.49-1.el6_2.noarch
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt'
/etc/pki/entitlement/product/content-rhel6-beta.crt
/etc/pki/entitlement/product/rhui-client-config-server-6-beta.crt
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}
notBefore=Mar 29 18:34:17 2012 GMT
notAfter=Nov 30 18:34:17 2020 GMT
notBefore=Mar 29 18:38:42 2012 GMT
notAfter=Nov 30 18:38:42 2020 GMT
[root@domU-12-31-39-0F-C8-89 ~]# rpm -qf /etc/yum.repos.d/redhat-rhui-client-config.repo
rh-amazon-rhui-client-2.2.49-1.el6_2.noarch
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client | grep '\.crt'
/etc/pki/entitlement/ca.crt
/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/pki/entitlement/product/content-rhel6.crt
/etc/pki/entitlement/product/rhui-client-config-server-6.crt
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}
notBefore=Aug 23 19:46:02 2011 GMT
notAfter=Nov 30 19:46:02 2017 GMT
notBefore=Mar 18 11:24:54 2010 GMT
notAfter=Mar 13 11:24:54 2030 GMT
notBefore=Mar 29 18:31:28 2012 GMT
notAfter=Nov 30 18:31:28 2020 GMT
notBefore=Mar 29 18:38:07 2012 GMT
notAfter=Nov 30 18:38:07 2020 GMT
[root@domU-12-31-39-0F-C8-89 ~]#
Adding some configuration rpm info... ## [root@domU-12-31-39-0F-C8-89 ~]# rpm -qi rh-amazon-rhui-client-beta Name : rh-amazon-rhui-client-beta Relocations: (not relocatable) Version : 2.2.49 Vendor: Red Hat, Inc. Release : 1.el6_2 Build Date: Mon 23 Apr 2012 02:04:49 PM EDT Install Date: Thu 03 May 2012 01:40:04 PM EDT Build Host: s390-001.build.bos.redhat.com Group : System Environment/Base Source RPM: rh-amazon-rhui-client-2.2.49-1.el6_2.src.rpm Size : 10984 License: BSD Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://redhat.com Summary : Yum repository and entitlement certificiate configuration for beta content Description : Configures yum to use the RHUI repositories for beta content. You have mail in /var/spool/mail/root [root@domU-12-31-39-0F-C8-89 ~]# rpm -qi rh-amazon-rhui-client Name : rh-amazon-rhui-client Relocations: (not relocatable) Version : 2.2.49 Vendor: Red Hat, Inc. Release : 1.el6_2 Build Date: Mon 23 Apr 2012 02:04:49 PM EDT Install Date: Mon 30 Apr 2012 03:57:26 PM EDT Build Host: s390-001.build.bos.redhat.com Group : System Environment/Base Source RPM: rh-amazon-rhui-client-2.2.49-1.el6_2.src.rpm Size : 41189 License: BSD Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://redhat.com Summary : Yum repository and entitlement certificate configuration Description : Configures yum to use the RHUI repositories. We were targeting 6.3 to get 10-year certificates available for yum updates to continue working for all of RHEL 6's newly expanded life. Unfortunately, it appears the ca.crt is still set for 2017, and changing out the CA is not a trivial effort; we would need to regenerate all certificates to make them work. This is getting punted to 6.4. Can you remove it from advisory then? Done This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. Jay, where are we with this? Hey James, any progress here? For 6.3 it involved replacing the CA I think which forced us to defer to 6.4. I don't want that to happen again... Latest rh-amazon-rhui-client has this, we just need to make sure it lands in the final AMIs. rh-amazon-rhui-client-2.2.77-1.el6_3 Snap #3 contains:
rh-amazon-rhui-client-beta-2.2.77-1.el6_3.noarch
rh-amazon-rhui-client-2.2.77-1.el6_3.noarch
# rpm -ql rh-amazon-rhui-client | grep '\.crt'
/etc/pki/entitlement/ca.crt
/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/pki/entitlement/product/content-rhel6.crt
/etc/pki/entitlement/product/rhui-client-config-server-6.crt
# rpm -ql rh-amazon-rhui-client | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}
notBefore=Aug 23 19:46:02 2011 GMT
notAfter=Nov 30 19:46:02 2017 GMT
notBefore=Mar 18 11:24:54 2010 GMT
notAfter=Mar 13 11:24:54 2030 GMT
notBefore=Mar 29 18:31:28 2012 GMT
notAfter=Nov 30 18:31:28 2020 GMT
notBefore=Mar 29 18:38:07 2012 GMT
notAfter=Nov 30 18:38:07 2020 GMT
# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt'
/etc/pki/entitlement/product/content-rhel6-beta.crt
/etc/pki/entitlement/product/rhui-client-config-server-6-beta.crt
# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}
notBefore=Mar 29 18:34:17 2012 GMT
notAfter=Nov 30 18:34:17 2020 GMT
notBefore=Mar 29 18:38:42 2012 GMT
notAfter=Nov 30 18:38:42 2020 GMT
I don't see any difference from comment #4. Moving back to ASSIGNED.
I'm confused. Adding James. Another bug was opened to update the CA: bugzilla 888456 The client entitlement certificates have the correct expiration date afaict. make that bug 888456 The dates on the client certs are correct. closing as NOTABUG see comment 18 |