Bug 855904

Summary: Document how to update nss-db-gen generated certificates
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: James Slagle <jslagle>
Component: DocumentationAssignee: Julie <juwu>
Status: CLOSED CURRENTRELEASE QA Contact: Dan Macpherson <dmacpher>
Severity: unspecified Docs Contact:
Priority: high    
Version: 2.1CC: dmacpher, juwu, tsanders, whayutin
Target Milestone: ---   
Target Release: 2.1.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-04 05:09:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Slagle 2012-09-10 15:02:23 UTC 
The certs generated when nss-db-gen is run, both the qpid CA and qpid client cert are hardcoded to expire after one year.  You can no longer sync CDS's after the certs expire as the CDS's will fail connecting to qpid running on the RHUA.
Comment 1 wes hayutin 2012-09-10 15:39:55 UTC 
nss-db-gen uses the certutil command which has the option "-v"  to specify the number of months the cert will be valid.
The nss-db-gen script has a variable "VALID" which currently defaults to "12" , 12 months.  So it seems we can easily fix this, or maybe even doc the issue.

The option defaults to three months, so certs will expire after creation 12 + 3 months after they are created.

******************

-v valid-months

Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the -w option. If this argument is not used, the default validity period is three months. When this argument is used, the default three-month period is automatically added to any value given in the valid-month argument. For example, using this option to set a value of 3 would cause 3 to be added to the three-month default, creating a validity period of six months. You can use negative values to reduce the default period. For example, setting a value of -2 would subtract 2 from the default and create a validity period of one month.
******************
Comment 2 James Slagle 2012-11-09 19:54:57 UTC 
What we need to do for this bug is provide the kbase article as input to our docs team to include in the documentation.
Comment 3 James Slagle 2012-11-09 19:55:42 UTC 
technical material will be forthcoming
Comment 5 James Slagle 2013-02-13 13:11:21 UTC 
Both those kbase articles show pretty much the same thing, but let's use this one:
https://access.redhat.com/knowledge/solutions/219703

I would think this would need to be in a new section in the Admin guide.
Comment 7 James Slagle 2013-02-20 12:52:25 UTC 
Just running nss-db-gen does not install the generated certificates on the RHUA and CDS systems, so in procedure 7.2, we also need to add the steps to run rhui-installer and then install the generated rpm's.

In the KBase article it's the steps that say:
* Use rhui-installer and config rpms to update and distribute the new qpid certificates across the RHUI environment. 

* Execute rhui-installer using the updated answers file. Again the only thing we updated in the answers file was the version. This will re-copy the updated qpid certificates to the RHUA and CDS's in the environment

* Distribute the updated config rpm's to the CDS's and install on the RHUA and CDS servers
Comment 8 Dan Macpherson 2013-02-21 15:57:59 UTC 
Added additional instructions and re-spinning the book.
Comment 10 Dan Macpherson 2013-03-04 05:09:12 UTC 
Verified and closing bug as this has been released.