Bug 1013802 - cert generation should use config variable to control cert expiration
cert generation should use config variable to control cert expiration
Status: CLOSED ERRATA
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: RHUA (Show other bugs)
2.1.2
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 3.0.0
Assigned To: Patrick Creech
Irina Gulina
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-30 15:48 EDT by dgao
Modified: 2017-03-01 17:07 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1415097 (view as bug list)
Environment:
Last Closed: 2017-03-01 17:07:59 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description dgao 2013-09-30 15:48:20 EDT
Long term fix for: 

https://bugzilla.redhat.com/show_bug.cgi?id=1007662

When RHUA generates certs, it should use a configurable item to control when a cert would expire.
Comment 6 Patrick Creech 2016-03-30 10:46:03 EDT
Fixing version assignment
Comment 7 Patrick Creech 2016-06-16 14:34:30 EDT
RHUI-3 uses a different installer that allows you to specify certificate expiration in days
Comment 9 Irina Gulina 2016-11-17 08:41:00 EST
On 20161115 iso, 

1) if the cert expires, the user will see: 

RHUI Username: admin
RHUI Password: 
Server certificate is not signed by a trusted authority.

Is it too generic maybe? What about adding smth like: "or has expired"

2) --certs-ca-expiration is checked to be an integer. However it shouldn't be a negative or zero integer.

rhui-installer --certs-ca-expiration=string
Parameter certs-ca-expiration invalid
Error during configuration, exiting
Please check the settings in /etc/rhui-installer/answers.yaml
[root@ns01 ~]# rhui-installer --certs-ca-expiration=1.05
Parameter certs-ca-expiration invalid
Error during configuration, exiting
Please check the settings in /etc/rhui-installer/answers.yaml
[root@ns01 ~]# rhui-installer --certs-ca-expiration=''
Parameter certs-ca-expiration invalid
Error during configuration, exiting
Please check the settings in /etc/rhui-installer/answers.yaml
[root@ns01 ~]# rhui-installer --certs-ca-expiration=0
Preparing installation Debug: Automatically imported concat from concat i^C/usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:390:in `each': Interrupt
	from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:390:in `block in run_installation'
	from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:388:in `spawn'
	from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:388:in `run_installation'
	from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:149:in `execute'
	from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:67:in `run'
	from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:125:in `run'
	from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:156:in `run'
	from /sbin/rhui-installer:5:in `<main>'

[root@ns01 ~]# rhui-installer --certs-ca-expiration=-100
Preparing installation Done                                              
  Something went wrong! Check the log for ERROR-level output
  The full log is at /var/log/kafo/configuration.log
Please check the settings in /etc/rhui-installer/answers.yaml
[root@ns01 ~]# rhui-installer --certs-ca-expiration=100
Preparing installation Debug: importing '/usr/share/rhui-installer/module^C/usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:390:in `each': Interrupt
	from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:390:in `block in run_installation'
	from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:388:in `spawn'
	from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:388:in `run_installation'
	from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:149:in `execute'
	from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:67:in `run'
	from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:125:in `run'
	from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:156:in `run'
	from /sbin/rhui-installer:5:in `<main>'
Comment 10 Radek Bíba 2016-12-20 10:44:15 EST
With certs-ca-expiration <= 0, I get:

# rhui-installer --certs-ca-expiration=-100
 validate_integer(): Expected -100 to be greater or equal to 1, got -100. at /usr/share/rhui-installer/modules/rhua/manifests/init.pp:139 on node rhua.example.com
 validate_integer(): Expected -100 to be greater or equal to 1, got -100. at /usr/share/rhui-installer/modules/rhua/manifests/init.pp:139 on node rhua.example.com
Preparing installation Done                                              
  Something went wrong! Check the log for ERROR-level output
  The full log is at /var/log/kafo/configuration.log
Please check the settings in /etc/rhui-installer/answers.yaml

That's better, although one could argue that it's a very technical error message.

As for expired cert, I didn't try using one, but I still see:

/usr/lib/python2.7/site-packages/rhui/tools/launcher.py:142:        prompt.write(prompt.color(_('Server certificate is not signed by a trusted authority.'),

(So, no "or has expired".)

Leaving in ON_QA.
Comment 11 Patrick Creech 2017-01-19 10:24:56 EST
Given the proximity to releasing GA at this point, the plan is to move the "or has expired" portion to it's own bug, and QA the rest against the GA build.
Comment 12 Radek Bíba 2017-01-20 04:06:26 EST
(In reply to Irina Gulina from comment #9)
> On 20161115 iso, 
> 
> 1) if the cert expires, the user will see: 
> 
> RHUI Username: admin
> RHUI Password: 
> Server certificate is not signed by a trusted authority.
> 
> Is it too generic maybe? What about adding smth like: "or has expired"

Filed bug 1415097 to track this post GA.

> 2) --certs-ca-expiration is checked to be an integer. However it shouldn't
> be a negative or zero integer.

This is (still) handled correctly in build 20170118:

With 0:
 validate_integer(): Expected 0 to be greater or equal to 1, got 0. at /usr/share/rhui-installer/modules/rhua/manifests/init.pp:139 on node rhua.example.com

With a negative integer:
 validate_integer(): Expected -100 to be greater or equal to 1, got -100. at /usr/share/rhui-installer/modules/rhua/manifests/init.pp:139 on node rhua.example.com

With a non-integer parameter:
Parameter certs-ca-expiration invalid
Comment 14 errata-xmlrpc 2017-03-01 17:07:59 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0367

Note You need to log in before you can comment on or make changes to this bug.