Bug 800533

Summary: Need 10-year certs on AMIs
Product: Red Hat Enterprise Linux 6 Reporter: Jay Greguske <jgregusk>
Component: relengAssignee: Jay Greguske <jgregusk>
Status: CLOSED NOTABUG QA Contact: mkovacik
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: atodorov, cpelland, dgregor, dmach, jslagle, syeghiay, whayutin
Target Milestone: rcKeywords: EC2
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 800532 Environment:
Last Closed: 2013-01-30 11:25:16 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 800532    
Bug Blocks:    

Description Jay Greguske 2012-03-06 11:40:10 EST
+++ This bug was initially created as a clone of Bug #800532 +++

The current certificates on RHEL AMIs expire early since they were generated when the life of RHEL was 7 years. Newer AMIs should have certs that expire after 10 years from the major release.
Comment 2 Suzanne Yeghiayan 2012-05-18 16:52:32 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 mkovacik 2012-05-22 06:05:30 EDT
Checking ami-48bc1b21 (us-east-1), following cert dates can be obtained. The result however is neither beta (6.3) nor release (6.2??) rhui configuration rpms contain certificates valid for 10 years. See the screenlog below.

## 
[root@domU-12-31-39-0F-C8-89 ~]# ls /etc/yum.repos.d/
redhat-rhui-beta.repo  redhat-rhui-client-config-beta.repo  redhat-rhui-client-config.repo  redhat-rhui.repo  rhel-source.repo  rhui-load-balancers.conf
[root@domU-12-31-39-0F-C8-89 ~]# rpm -qf /etc/yum.repos.d/redhat-rhui-client-config-beta.repo
rh-amazon-rhui-client-beta-2.2.49-1.el6_2.noarch
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt' 
/etc/pki/entitlement/product/content-rhel6-beta.crt
/etc/pki/entitlement/product/rhui-client-config-server-6-beta.crt
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}                                                                                                                                         
notBefore=Mar 29 18:34:17 2012 GMT
notAfter=Nov 30 18:34:17 2020 GMT
notBefore=Mar 29 18:38:42 2012 GMT
notAfter=Nov 30 18:38:42 2020 GMT

[root@domU-12-31-39-0F-C8-89 ~]# rpm -qf /etc/yum.repos.d/redhat-rhui-client-config.repo 
rh-amazon-rhui-client-2.2.49-1.el6_2.noarch
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client | grep '\.crt' 
/etc/pki/entitlement/ca.crt
/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/pki/entitlement/product/content-rhel6.crt
/etc/pki/entitlement/product/rhui-client-config-server-6.crt
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}
notBefore=Aug 23 19:46:02 2011 GMT
notAfter=Nov 30 19:46:02 2017 GMT
notBefore=Mar 18 11:24:54 2010 GMT
notAfter=Mar 13 11:24:54 2030 GMT
notBefore=Mar 29 18:31:28 2012 GMT
notAfter=Nov 30 18:31:28 2020 GMT
notBefore=Mar 29 18:38:07 2012 GMT
notAfter=Nov 30 18:38:07 2020 GMT
[root@domU-12-31-39-0F-C8-89 ~]#
Comment 5 mkovacik 2012-05-22 06:15:02 EDT
Adding some configuration rpm info...

##
[root@domU-12-31-39-0F-C8-89 ~]# rpm -qi rh-amazon-rhui-client-beta
Name        : rh-amazon-rhui-client-beta   Relocations: (not relocatable)
Version     : 2.2.49                            Vendor: Red Hat, Inc.
Release     : 1.el6_2                       Build Date: Mon 23 Apr 2012 02:04:49 PM EDT
Install Date: Thu 03 May 2012 01:40:04 PM EDT      Build Host: s390-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: rh-amazon-rhui-client-2.2.49-1.el6_2.src.rpm
Size        : 10984                            License: BSD
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://redhat.com
Summary     : Yum repository and entitlement certificiate configuration for beta content
Description :
Configures yum to use the RHUI repositories for beta content.
You have mail in /var/spool/mail/root
[root@domU-12-31-39-0F-C8-89 ~]# rpm -qi rh-amazon-rhui-client
Name        : rh-amazon-rhui-client        Relocations: (not relocatable)
Version     : 2.2.49                            Vendor: Red Hat, Inc.
Release     : 1.el6_2                       Build Date: Mon 23 Apr 2012 02:04:49 PM EDT
Install Date: Mon 30 Apr 2012 03:57:26 PM EDT      Build Host: s390-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: rh-amazon-rhui-client-2.2.49-1.el6_2.src.rpm
Size        : 41189                            License: BSD
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://redhat.com
Summary     : Yum repository and entitlement certificate configuration
Description :
Configures yum to use the RHUI repositories.
Comment 6 Jay Greguske 2012-05-22 14:20:46 EDT
We were targeting 6.3 to get 10-year certificates available for yum
updates to continue working for all of RHEL 6's newly expanded life.
Unfortunately, it appears the ca.crt is still set for 2017, and changing
out the CA is not a trivial effort; we would need to regenerate all
certificates to make them work.

This is getting punted to 6.4.
Comment 7 Alexander Todorov 2012-05-23 08:21:04 EDT
Can you remove it from advisory then?
Comment 8 Jay Greguske 2012-05-23 08:38:50 EDT
Done
Comment 10 RHEL Product and Program Management 2012-07-10 04:51:59 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 11 RHEL Product and Program Management 2012-07-10 21:47:45 EDT
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 12 Dennis Gregorovic 2012-10-26 14:05:05 EDT
Jay, where are we with this?
Comment 13 Jay Greguske 2012-10-26 14:43:48 EDT
Hey James, any progress here? For 6.3 it involved replacing the CA I think which forced us to defer to 6.4. I don't want that to happen again...
Comment 14 Jay Greguske 2012-12-07 14:41:12 EST
Latest rh-amazon-rhui-client has this, we just need to make sure it lands in the final AMIs.

rh-amazon-rhui-client-2.2.77-1.el6_3
Comment 16 Alexander Todorov 2013-01-15 04:53:02 EST
Snap #3 contains:

rh-amazon-rhui-client-beta-2.2.77-1.el6_3.noarch
rh-amazon-rhui-client-2.2.77-1.el6_3.noarch


# rpm -ql rh-amazon-rhui-client | grep '\.crt'
/etc/pki/entitlement/ca.crt
/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/pki/entitlement/product/content-rhel6.crt
/etc/pki/entitlement/product/rhui-client-config-server-6.crt

# rpm -ql rh-amazon-rhui-client | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}
notBefore=Aug 23 19:46:02 2011 GMT
notAfter=Nov 30 19:46:02 2017 GMT
notBefore=Mar 18 11:24:54 2010 GMT
notAfter=Mar 13 11:24:54 2030 GMT
notBefore=Mar 29 18:31:28 2012 GMT
notAfter=Nov 30 18:31:28 2020 GMT
notBefore=Mar 29 18:38:07 2012 GMT
notAfter=Nov 30 18:38:07 2020 GMT


# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt'
/etc/pki/entitlement/product/content-rhel6-beta.crt
/etc/pki/entitlement/product/rhui-client-config-server-6-beta.crt

# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}
notBefore=Mar 29 18:34:17 2012 GMT
notAfter=Nov 30 18:34:17 2020 GMT
notBefore=Mar 29 18:38:42 2012 GMT
notAfter=Nov 30 18:38:42 2020 GMT


I don't see any difference from comment #4. Moving back to ASSIGNED.
Comment 17 Jay Greguske 2013-01-30 08:42:25 EST
I'm confused. Adding James.
Comment 18 James Slagle 2013-01-30 08:54:29 EST
Another bug was opened to update the CA: bugzilla 888456

The client entitlement certificates have the correct expiration date afaict.
Comment 19 James Slagle 2013-01-30 08:56:16 EST
make that bug 888456
Comment 20 Dennis Gregorovic 2013-01-30 11:25:16 EST
The dates on the client certs are correct.  closing as NOTABUG
Comment 23 James Slagle 2013-02-05 09:01:56 EST
see comment 18