The existing code in the satellite validates that the cert is still valid when a satellite logs in. That works for 340 satellites, but it will fail for previous satellites, because their certs aren't using the format that the python code understands. We need to only do the check for 340 satellites or later. This will require a new column in rhnSatelliteInfo, Version and a script to populate version from the certs in the existing database. Once that column is added, the code should be changed to respect the version column.
on dev now
re-opening to track the code changes
Part of the fix for this bug has to ensure that satellite sync will fail when the satellite cert has expired.
This is fixed now, we only validate certs for version 3.4 or higher. Test plan: 1) Activate a satellite using an expired cert for satellite 3.2, make sure you can still sat sync. 2) Activate a satellite using a expired cert for satellite 3.4, make sure you can't sat sync. 3) Activate a satellite using a non-expired cert for satellite 3.4, make sure you can sat sync.
couple of things: sat-sync will not work if the cert is removed, good thing because of our error checking capabilities in the ui now, I'm not allowed to put in a cert that is expired. the only way to test this is to insert a cert that will expire tomorrow and check it then. even after the cert has been removed and the sat can no longer sat-sync, I'm still able to log into the sat and use it. I think this is correct behavior. and lastly: since someone can use the satellite after it expires, whats to stop them from doing a disconnected sat-sync?
If the satellite doesn't have a cert or if the cert is expired, you shouldn't be able to login to the satellite anymore, either through up2date or through the web ui. If you can, that is a bug.
fanny, the new ui features won't allow you to put an expired cert on the sat. there is a 3.4 cert called expired. I recommend bumping up the the date to tomorrow and getting is signed then putting on a sat and waiting a day.
You cannot login to the website, but you can perform a "satellite-sync --list-channel"... And you should not be able to do so with an experired cert.
This was an invalid test (spoke to fanny already). We tested after moving the sat's date past the expiration day, but sat-sync is failed by hosted, so if hosted doesn't know the cert has expired, the sync will succeed.
QA push. {ON_DEV,QA_READY} --> ON_QA
Actually, satsync is not properly syncing the cert.
satellite-sync now properly syncs the cert. Fanny,I have deployed the fix on farm02 so you can go on with the testing.
rhns version 3.6.1-18 btw...
When the cert is expired you cannot satellite-sync, up2date, rhn_check, etc... Which are all valid things you cannot do when the cert is expired, however, you can still navigate the webUI (satellite) with no problem. I think the fix should prevent you for navigating the webUI.
Fixed. The code was always getting the latest possible date from the database, but it needed to get the highest versioned cert, and get the expires for that date.
ON_QA en masse for 2004-12-08 QA push
Looks good on QA.
Mass move from PROD_READY to CLOSED:CURRENTRELEASE