Bug 923159

Summary: rhsmcertd update is not automatically regenerating consumer cert
Product: Red Hat Enterprise Linux 7 Reporter: Shwetha Kallesh <skallesh>
Component: subscription-managerAssignee: candlepin-bugs
Status: CLOSED CURRENTRELEASE QA Contact: John Sefler <jsefler>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dgoodwin, fsharath, jmolet, jsefler, redakkan, skallesh, spandey
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1231074 1425722 (view as bug list) Environment:
Last Closed: 2014-06-13 13:22:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 863175, 1231074, 1425722    

Description Shwetha Kallesh 2013-03-19 10:24:12 UTC 
Description of problem:
rhsmcertd update is not re-generating consumer cert automatically

Version-Release number of selected component (if applicable):
[root@rhel7 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.8.0-1
subscription-manager: 1.8.4-1.el7
python-rhsm: 1.8.7-1.el7


How reproducible:


Steps to Reproduce:
[root@rhel7 ~]# cat /etc/rhsm/rhsm.conf | grep insecure
insecure=1


1.[root@rhel7 ~]# subscription-manager register --org=admin --force
Username: admin
Password: 
The system has been registered with id: c9bc5b4e-3938-44fc-8b04-76c48aa4a0eb 

[root@rhel7 ~]# date -s '15 year 9 month'
Tue Dec 19 10:09:14 UTC 2028

Executing 

[root@rhel7 ~]# date
Tue Dec 19 10:12:26 UTC 2028

[root@rhel7 ~]# rct cat-cert /etc/pki/consumer/cert.pem 

+-------------------------------------------+
	Identity Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/consumer/cert.pem
	Version: 1.0
	Serial: 5437778791775227667
	Start Date: 2013-03-19 09:39:02+00:00
	End Date: 2029-03-19 09:39:02+00:00
	Alt Name: DirName:/CN=rhel7

Subject:
	CN: c9bc5b4e-3938-44fc-8b04-76c48aa4a0eb

  
Actual results:


Expected results:


Additional info:
Comment 1 John Sefler 2014-01-17 21:05:36 UTC 
Suspect an error in the test scenario.
Both the server and the client clocks need to be in sync before a consumer cert will be regenerated within the default 90 day expiry threshold.
As written in comment 0, i suspect there was a "clock skew detection" warning in rhsm.log

Please re-test.



Additional Info: these are the candlepin configurations that govern automatic  consumer cert regeneration...
# threshold in days before the expiration date for a consumer cert to be automatically regenerated during an rhsmcertd update (default is 90)
candlepin.identityCert.expiry.threshold = 90
# validity duration for a consumer cert (default is 16 years - was originally 1 year)
candlepin.identityCert.yr.addendum = 16
Comment 2 Devan Goodwin 2014-01-22 13:53:39 UTC 
Moving to ON_QA given comment #1.
Comment 3 John Sefler 2014-01-31 18:54:15 UTC 
Retesting with version...
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.9.2-1
subscription-manager: 1.10.11-2.el7
python-rhsm: 1.10.11-2.el7

[root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: 78ced260-c48a-4175-b61f-1a41cb97eb37 
[root@jsefler-7 ~]# rct cat-cert /etc/pki/consumer/cert.pem | grep Date
	Start Date: 2014-01-31 18:24:30+00:00
	End Date: 2030-01-31 18:24:30+00:00
                  ^^^^
Take note of the original vailidity dates above.
By default, a newly created consumer cert is valid for 16 years!

Now, let's fast-forward time into the future on both the candlepin server and the subscription-manager system to within 90 days before 2030-01-31 18:24:30+00:00...



[root@jsefler-7 ~]# service ntpd stop
Redirecting to /bin/systemctl stop  ntpd.service
[root@jsefler-7 ~]# date
Fri Jan 31 13:26:50 EST 2014
[root@jsefler-7 ~]# date -s '+15 year +9 month +2 day'
Thu Nov  2 14:26:58 EDT 2029

[root@jsefler-f14-candlepin ~]# service ntpd stop
Shutting down ntpd:                                        [  OK  ]
[root@jsefler-f14-candlepin ~]# date
Fri Jan 31 13:27:31 EST 2014
[root@jsefler-f14-candlepin ~]# date -s '+15 year +9 month +2 day'
Thu Nov  2 14:27:40 EDT 2029


Now let's restart rhsmcertd and wait for a hard 2 minutes for the cert deamon to check for certificate updates with the server... 

[root@jsefler-7 ~]# service rhsmcertd restart
Redirecting to /bin/systemctl restart  rhsmcertd.service
[root@jsefler-7 ~]# sleep 120
[root@jsefler-7 ~]# 


[root@jsefler-7 ~]# tail -f /var/log/rhsm/rhsmcertd.log
Fri Nov  2 14:43:21 2029 [INFO] rhsmcertd is shutting down...
Fri Nov  2 14:43:21 2029 [INFO] Starting rhsmcertd...
Fri Nov  2 14:43:21 2029 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)]
Fri Nov  2 14:43:21 2029 [INFO] Cert check interval: 240.0 minute(s) [14400 second(s)]
Fri Nov  2 14:43:21 2029 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates.
Fri Nov  2 14:45:23 2029 [INFO] (Auto-attach) Certificates updated.
Fri Nov  2 14:45:25 2029 [INFO] (Cert Check) Certificates updated.


[root@jsefler-7 ~]# subscription-manager identity 
system identity: 78ced260-c48a-4175-b61f-1a41cb97eb37
name: jsefler-7.usersys.redhat.com
org name: Admin Owner
org ID: admin
[root@jsefler-7 ~]# rct cat-cert /etc/pki/consumer/cert.pem | grep Date
	Start Date: 2029-11-02 18:45:22+00:00
	End Date: 2045-11-02 18:45:22+00:00
                  ^^^^

VERIFIED: The rhsmcertd deamon has has automatically updated the validity period for the same consumer UUID.  It is now valid for another 16 years!
Comment 5 Ludek Smid 2014-06-13 13:22:49 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.