Bug 838091
| Summary: | Teach rhsmcertd to refresh the identity certificate | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | RHEL Program Management <pm-rhel> |
| Component: | subscription-manager | Assignee: | Jesus M. Rodriguez <jesusr> |
| Status: | CLOSED ERRATA | QA Contact: | Entitlement Bugs <entitlement-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.9 | CC: | awood, bkearney, cduryee, fsharath, jesusr, jmolet, jsefler, kreilly, mstead, pm-eus, wpoteat |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-07-13 04:35:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 827034 | ||
| Bug Blocks: | |||
|
Description
RHEL Program Management
2012-07-06 13:28:41 UTC
Before verifying this bug fix, let's demonstrate the problem... The following subscription-manager/candlepin versions will be used to demonstrate the problems: [root@rhsm-compat-rhel58 ~]# rpm -q subscription-manager subscription-manager-0.98.16-1.el5_8 [root@rhsm-compat-rhel58 ~]# curl -k -u admin:**** -stderr /dev/null https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool { "release": "1", "result": true, "standalone": true, "timeUTC": "2012-07-09T16:48:35.511+0000", "version": "0.5.26" } Step 1: Configure client to a candlepin server (whose version is older than 0.7.3) [root@rhsm-compat-rhel58 ~]# subscription-manager config --server.hostname jsefler-f14-candlepin.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1 Step 2: Register client to candlepin server [root@rhsm-compat-rhel58 ~]# subscription-manager register --username testuser1 --password **** --org admin The system has been registered with id: 0ff42f32-2b6d-4687-8158-77896c07f867 Step 3: Check the Validity period on the client's consumer certificate [root@rhsm-compat-rhel58 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity Validity Not Before: Jul 9 16:50:45 2012 GMT Not After : Jul 9 16:50:45 2013 GMT ^^^ PROBLEM 1: THIS CONSUMER CERT IS VALID FOR ONE YEAR ONLY Step 4: Simulate the future by advancing both the system and candlepin server's date to within 90 days of the consumer cert expiration. Then simulate a certificate frequency update by restarting the rhsmcertd service. [root@rhsm-compat-rhel58 ~]# date 070100002013 Mon Jul 1 00:00:00 EDT 2013 [root@jsefler-f14-candlepin ~]# date 070100002013 Mon Jul 1 00:00:00 EDT 2013 [root@rhsm-compat-rhel58 ~]# service rhsmcertd restart Stopping rhsmcertd [ OK ] Starting rhsmcertd 240 1440 [ OK ] [root@rhsm-compat-rhel58 ~]# subscription-manager identity Current identity is: 0ff42f32-2b6d-4687-8158-77896c07f867 name: rhsm-compat-rhel58.usersys.redhat.com org name: Admin Owner org id: 8a90f875386c97cd01386c97f3f20007 [root@rhsm-compat-rhel58 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity Validity Not Before: Jul 9 16:50:45 2012 GMT Not After : Jul 9 16:50:45 2013 GMT ^^^ PROBLEM 2: ALTHOUGH COMMUNICATION FROM THE SYSTEM TO THE CANDLEPIN SERVER IS STILL SUCCESSFUL, THIS SYSTEM IS NOW WITHIN 90 DAYS OF AN EXPIRED CONSUMER CERT AND THE CONSUMER CERT WAS NOT REGENERATED AUTOMATICALLY. Step 5: Simulate the future by advancing both the system and candlepin server's beyond consumer cert expiration. Then attempt to communicate from the subscription-manager system to the candlepin server. [root@rhsm-compat-rhel58 ~]# date 080100002013 Thu Aug 1 00:00:00 EDT 2013 [root@jsefler-f14-candlepin ~]# date 080100002013 Thu Aug 1 00:00:00 EDT 2013 [root@rhsm-compat-rhel58 ~]# subscription-manager identity sslv3 alert certificate unknown ^^^ PROBLEM 3: THIS SYSTEM IS NOW BEYOND THE EXPIRATION DATE OF THE CONSUMER CERT AND COMMUNICATION TO THE CANDLEPIN SERVER FAILS WITH A "sslv3 alert certificate unknown". THE USER DOES NOT KNOW WHAT TO DO. Manual Solution: Without this bug fix in place, the easiest way to fix this situation is to manually regenerate the consumer certificate using the consumer's authentication credentials... [root@rhsm-compat-rhel58 ~]# subscription-manager identity --regenerate --username=testuser1 --password=**** --force Identity certificate has been regenerated. [root@rhsm-compat-rhel58 ~]# subscription-manager identity Current identity is: 0ff42f32-2b6d-4687-8158-77896c07f867 name: rhsm-compat-rhel58.usersys.redhat.com org name: Admin Owner org id: 8a90f875386c97cd01386c97f3f20007 [root@rhsm-compat-rhel58 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity Validity Not Before: Aug 1 04:06:03 2013 GMT Not After : Aug 1 04:06:03 2014 GMT ^^^ THIS MANUAL SOLUTION SUCCESSFULLY RE-ESTABLISHED COMMUNICATION TO THE CANDLEPIN SERVER BY INSTALLING A NEW CONSUMER CERT VALID FOR A NEW YEAR STARTING FROM NOW. To verify this bug, we need the bug fix applied to the subscription-manager system (AND candlepin >= 0.7.3). Using the following updated subscription-manager/candlepin versions to verify this bug fix: [root@rhsm-compat-rhel58 ~]# rpm -q subscription-manager subscription-manager-0.98.16.3-1.el5_8 [root@rhsm-compat-rhel58 ~]# curl -k -u admin:**** -stderr /dev/null https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool { "release": "1", "result": true, "standalone": true, "timeUTC": "2012-07-11T21:25:13.841+0000", "version": "0.7.3" } Step 1: Configure client to a candlepin server (whose version is 0.7.3 or newer) [root@rhsm-compat-rhel58 ~]# subscription-manager config --server.hostname jsefler-f14-candlepin.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1 Step 2: Register client to candlepin server [root@rhsm-compat-rhel58 ~]# subscription-manager register --username testuser1 --password **** --org admin The system has been registered with id: a1e34202-10de-41d9-b81c-17f36eea98c0 Step 3: Check the Validity period on the client's consumer certificate [root@rhsm-compat-rhel58 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity Validity Not Before: Jul 11 21:29:43 2012 GMT Not After : Jul 11 21:29:43 2028 GMT ^^^ VERIFIED PROBLEM 1 IS SOLVED: A NEWLY GENERATED CONSUMER CERT IS NOW VALID FOR 16 YEARS Step 4: Simulate the future by advancing both the system and candlepin server's date to within 90 days of the consumer cert expiration. Then simulate a certificate frequency update by restarting the rhsmcertd service. [root@rhsm-compat-rhel58 ~]# date 070100002028 Sat Jul 1 00:00:00 EDT 2028 [root@jsefler-f14-candlepin ~]# date 070100002028 Sat Jul 1 00:00:00 EDT 2028 [root@rhsm-compat-rhel58 ~]# service rhsmcertd restart Stopping rhsmcertd [ OK ] Starting rhsmcertd 240 1440 [ OK ] [root@rhsm-compat-rhel58 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity Validity Not Before: Jul 1 04:01:12 2028 GMT Not After : Jul 1 04:01:12 2044 GMT ^^^ VERIFIED PROBLEM 2: When the rhsmcertd service checked in with the server within 90 days of the consumer cert's expiration, an updated consumer cert was generated by the candlepin server, installed on the client, and is now valid for the next 16 years. Here is some addition logging from the rhsm.log showing the automatically updated/written consumer... 2028-07-01 00:01:19,466 [DEBUG] @certlib.py:172 - identity certificate changed, writing new one 2028-07-01 00:01:19,468 [INFO] @managerlib.py:72 - Consumer created: {'consumer_name': 'rhsm-compat-rhel58.usersys.redhat.com', 'uuid': 'a1e34202-10de-41d9-b81c-17f36eea98c0'} Note that PROBLEM 3 will no longer happen in real-time because the rhsmcertd certFrequency is checking in with the server every 240 min (default) which will occur within 90 days of the consumer cert's expiration. The only trouble will be if the client is shutdown for the 90 day period before the consumer cert expires. In this case, see comment 5 for the Manual Solution to regenerate the identity cert. Moving to VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-1074.html |