Description of problem: # openssl x509 -text -in /etc/pki/rhua/user-ca-cert.crt Certificate: Data: Version: 3 (0x2) Serial Number: b1:c4:bb:39:ec:39:2c:d1 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=RHUI User PKI Validity Not Before: Aug 26 11:00:21 2013 GMT Not After : Aug 26 11:00:21 2014 GMT Subject: CN=RHUI User PKI Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: https://access.redhat.com/site/documentation/en-US/Red_Hat_Update_Infrastructure/2.1/html-single/Administration_Guide/index.html#chap-Administration_Guide-Repositories The following certificates generated by nss-db-gen have an expiration date: /etc/pki/rhua/qpid-ca.crt /etc/pki/rhua/qpid-client.crt /etc/pki/rhua/user-ca-cert.crt Actually upper explanation is not correct but when the user modify VALID para meter and then rebuild rpm packages but user-ca-cert.crt's expiration date is only 365 days. After this days, pulp web server's certificate is not working then has to modify below source code. /usr/lib/python2.6/site-packages/rhui/rpm/rhua.py # Create certificate cmd = 'openssl req -new -x509 -subj "/CN=RHUI User PKI" -days 365 -key %s -out %s' % (private_key_filename, cert_filename) LOG.info('Creating user PKI certificate [%s]' % cmd) p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.wait() Package name is "rh-rhui-tools-2.1.19-1.el6_4.noarch". Expected results: Please modify rhua.py source code for least 4 or 5 years or add this thing to administrator doc. Additional info:
I changed below source like below and then run "rhui-installer myanswer". Before: /usr/lib/python2.6/site-packages/rhui/rpm/rhua.py # Create certificate cmd = 'openssl req -new -x509 -subj "/CN=RHUI User PKI" -days 365 -key %s -out %s' % (private_key_filename, cert_filename) LOG.info('Creating user PKI certificate [%s]' % cmd) p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.wait() After: /usr/lib/python2.6/site-packages/rhui/rpm/rhua.py # Create certificate cmd = 'openssl req -new -x509 -subj "/CN=RHUI User PKI" -days 3650 -key %s -out %s' % (private_key_filename, cert_filename) LOG.info('Creating user PKI certificate [%s]' % cmd) p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.wait() Certificate: Data: Version: 3 (0x2) Serial Number: e4:1c:dc:52:26:b4:62:07 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=RHUI User PKI Validity Not Before: Sep 13 13:35:40 2013 GMT Not After : Sep 11 13:35:40 2023 GMT Subject: CN=RHUI User PKI Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus:
Hello, I understand the issue you have filed a BZ on, we should extend the life of the 'user-ca-cert.crt'. Makes sense and we'll bump it up.
commit to cloude repo: 5800bddaedf19dfcd43e73a53ca85053c3773c91 [root@test_ec2 tmp$ openssl x509 -in etc/pki/rhua/user-ca-cert.crt -text | less Certificate: Data: Version: 3 (0x2) Serial Number: da:76:80:bb:24:41:4e:fb Signature Algorithm: sha1WithRSAEncryption Issuer: CN=RHUI User PKI Validity Not Before: Sep 30 19:40:50 2013 GMT Not After : Sep 28 19:40:50 2023 GMT
Looks like cert life was extended to 20 years. commit cloude repo 789bb966f31ad48bd9e440c113598a6bc452e839 Certificate: Data: Version: 3 (0x2) Serial Number: eb:e5:f0:f7:9f:1b:4a:ca Signature Algorithm: sha1WithRSAEncryption Issuer: CN=RHUI User PKI Validity Not Before: Nov 6 09:32:59 2013 GMT Not After : Nov 1 09:32:59 2033 GMT tested in pulp-0.0.263-40.el6_5.noarch rh-rhui-tools-2.1.28-1.el6_5.noarch rh-rhui-tools-debug-script-2.1.28-1.el6_5.noarch Move to Verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1854.html