Bug 827035
| Summary: | Teach rhsmcertd to refresh the identity certificate | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | James Bowes <jbowes> | |
| Component: | subscription-manager | Assignee: | Bryan Kearney <bkearney> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Entitlement Bugs <entitlement-bugs> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.3 | CC: | bkearney, cduryee, jesusr, jmolet, jsefler, khong, liliu, mstead, yuzheng | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 827034 | |||
| : | 834309 (view as bug list) | Environment: | ||
| Last Closed: | 2012-12-10 21:41:53 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 827034 | |||
| Bug Blocks: | 771481, 834309, 834558 | |||
|
Description
James Bowes
2012-05-31 13:36:24 UTC
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Hi James, Could you provide QA steps for this new feature? Thanks, Keqin Requires candlepin 0.7.3 or greater to do anything.
Testing
--------
Forcing identity certificate to get updated.
1) register client to candlepin
2) configure the server side candlepin to have an expiry threshold of 7304 (roughly 20 years) this will force candlepin to regenerate the identity certificate on EVERY call to getConsumer. The configuration entry is:
candlepin.identityCert.expiry.threshold = 7304
The default value for expiry.threshold is 90 days. Identity Certificates are now generated so that they don't expire for 16 years (also configurable).
3) make note of the existing identity certificate date:
ls -lart /etc/pki/consumer/
4) restart rhsmcertd: /sbin/service rhsmcertd restart
5) make note of updated identity certificate date:
ls -lart /etc/pki/consumer/
Fixed in master by Jesus M. Rodriguez commit: bfff510f60ccc647f60ffdcb56b0101e1cccfe57 Setup: The candlepin server (running version >= 0.7.3) that we will use to verify this bug is using these default configurations...
# threshold in days before the expiration date for a consumer cert to be automatically regenerated during an rhsmcertd update (default is 90)
#candlepin.identityCert.expiry.threshold = 90
# validity duration for a consumer cert (default is 16 years - was originally 1 year)
#candlepin.identityCert.yr.addendum = 16
[root@jsefler-6 ~]# subscription-manager config --server.hostname=jsefler-f14-candlepin.usersys.redhat.com --server.port=8443 --server.prefix=/candlepin --server.insecure=1
Verifying Version...
[root@jsefler-6 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.7.19-1
subscription-manager: 1.1.10-1.el6
python-rhsm: 1.1.6-1.el6
[root@jsefler-6 ~]# subscription-manager register --username testuser1 --org admin
Password:
The system has been registered with id: 2166d56d-90f9-4a2d-8bba-94c739081248
[root@jsefler-6 ~]# subscription-manager identity
Current identity is: 2166d56d-90f9-4a2d-8bba-94c739081248
name: jsefler-6.usersys.redhat.com
org name: Admin Owner
org id: admin
[root@jsefler-6 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
Validity
Not Before: Nov 27 22:41:14 2012 GMT
Not After : Nov 27 22:41:14 2028 GMT
^^^^
VERIFIED: A newly created consumer cert is now valid for 16 years by default!
Now, let's fast-forward time to the future on both the candlepin server and the subscription-manager system to within 90 days before Nov 27 22:07:20 2028...
[root@jsefler-f14-candlepin ~]# date
Tue Nov 27 17:43:14 EST 2012
[root@jsefler-f14-candlepin ~]# date -s "10/01/2028"
Sun Oct 1 00:00:00 EDT 2028
[root@jsefler-6 ~]# date
Tue Nov 27 17:44:16 EST 2012
[root@jsefler-6 ~]# date -s "10/01/2028"
Sun Oct 1 00:00:00 EDT 2028
Now let's restart rhsmcertd and wait for a hard 2 minutes for the cert deamon to refresh certificate updates with the server...
[root@jsefler-6 ~]# service rhsmcertd restart
Stopping rhsmcertd... [ OK ]
Starting rhsmcertd... [ OK ]
[root@jsefler-6 ~]# sleep 120
[root@jsefler-6 ~]#
[root@jsefler-6 ~]# subscription-manager identity
Current identity is: 2166d56d-90f9-4a2d-8bba-94c739081248
name: jsefler-6.usersys.redhat.com
org name: Admin Owner
org id: admin
[root@jsefler-6 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
Validity
Not Before: Oct 1 04:03:47 2028 GMT
Not After : Oct 1 04:03:47 2044 GMT
^^^^
VERIFIED: The rhsmcertd deamon has has automatically updated the validity period for the same consumer UUID. It is now valid for another 16 years!
Here is some more verification from the tail end of the rhsm.log that the consumer cert was automatically updated...
[root@jsefler-6 ~]# tail -f /var/log/rhsm/rhsm.log
2028-10-01 00:02:55,776 [DEBUG] @connection.py:355 - Making request: GET /candlepin/consumers/2166d56d-90f9-4a2d-8bba-94c739081248
2028-10-01 00:02:55,940 [DEBUG] @connection.py:368 - Response status: 200
2028-10-01 00:02:55,943 [DEBUG] @certlib.py:180 - identity certificate changed, writing new one
2028-10-01 00:02:55,946 [INFO] @managerlib.py:75 - Consumer created: {'consumer_name': 'jsefler-6.usersys.redhat.com', 'uuid': '2166d56d-90f9-4a2d-8bba-94c739081248'}
Moving to VERIFIED
Bug Clean Up, these are in the current release. |