1327053 – Failed to auto-regenarate identity cert

Bug 1327053 - Failed to auto-regenarate identity cert

Summary: Failed to auto-regenarate identity cert

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	6.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	candlepin-bugs
QA Contact:	John Sefler
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-14 07:44 UTC by qianzhan
Modified:	2016-04-18 09:00 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-18 09:00:48 UTC
Target Upstream Version:

Attachments	(Terms of Use)
rhsm.log (978.06 KB, text/plain) 2016-04-14 07:46 UTC, qianzhan	no flags	Details
rhsmcertd.log (85.92 KB, text/plain) 2016-04-14 07:47 UTC, qianzhan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description qianzhan 2016-04-14 07:44:18 UTC

Description of problem:
Failed to auto-regenarate identity cert

Version-Release number of selected component (if applicable):
subscription-manager: 1.16.8-8.el6
python-rhsm: 1.16.6-1.el6


How reproducible:
always

Steps to Reproduce:
1. Regiter RHEL-6.8-20160407.0 to SAM-1.4.1-RHEL-6-20141113.0
2. Check the valid date of cert.
[root@dhcp-129-237 ~]# rct cat-cert /etc/pki/consumer/cert.pem 

+-------------------------------------------+
	Identity Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/consumer/cert.pem
	Version: 1.0
	Serial: 1751166070585918506
	Start Date: 2016-04-14 07:08:22+00:00
	End Date: 2032-04-14 07:08:22+00:00    <=====================
	Alt Name: DirName:/CN=dhcp-129-237.nay.redhat.com

Subject:
	CN: e70a2aec-bf97-4e42-8712-9b068ffcd690

Issuer:
	C: US
	CN: samserv.redhat.com
	L: Raleigh
	O: SomeOrg
	OU: SomeOrgUnit
	ST: North Carolina

3. Set the expiration date of the cert, both on client and server.
[root@dhcp-129-237 ~]# date -s "2032-04-15"
Thu Apr 15 00:00:00 EDT 2032

4. Restart rhsmcertd service.

[root@dhcp-129-237 ~]# service rhsmcertd restart
Stopping rhsmcertd...                                      [  OK  ]
Starting rhsmcertd...                                      [  OK  ]

5. Check the regeneration of cert.
[root@dhcp-129-237 ~]# sleep 180
[root@dhcp-129-237 ~]# rct cat-cert /etc/pki/consumer/cert.pem 

+-------------------------------------------+
	Identity Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/consumer/cert.pem
	Version: 1.0
	Serial: 1751166070585918506
	Start Date: 2016-04-14 07:08:22+00:00 <============
	End Date: 2032-04-14 07:08:22+00:00   <===========
	Alt Name: DirName:/CN=dhcp-129-237.nay.redhat.com

Subject:
	CN: e70a2aec-bf97-4e42-8712-9b068ffcd690

Issuer:
	C: US
	CN: samserv.redhat.com
	L: Raleigh
	O: SomeOrg
	OU: SomeOrgUnit
	ST: North Carolina


Actual results:
As step 5

Expected results:
The valid date in step 5, should start from 2032 to 2048

Additional info:

Comment 1 qianzhan 2016-04-14 07:46:28 UTC

Attachments 'rhsm.log' and 'rhsmcertd.log'

Comment 2 qianzhan 2016-04-14 07:46:54 UTC

Created attachment 1147060 [details]
rhsm.log

Comment 3 qianzhan 2016-04-14 07:47:16 UTC

Created attachment 1147061 [details]
rhsmcertd.log

Comment 6 John Sefler 2016-04-15 13:38:23 UTC

The test procedure in comment 0 is wrong.  By advancing the date of the client and candlepin server beyond the expiration of the consumer cert, you have passed the window of opportunity for a consumer cert to be automatically regenerated by the candlepin server.  Once the identity cert expires, it is too late to communicate with the candlepin server.

Here is the candlepin.conf configuration that governs the window of automatic identity cert generation...

# number of days before the expiration date for a consumer cert to be automatically regenerated during an rhsmcertd update (default is 90 days)
candlepin.identityCert.expiry.threshold = 90


Therefore, the test procedure in comment 0 should be changed to advance the clock to a few days *before* the identity certificate end date (not after) and re-tested.

Comment 8 qianzhan 2016-04-18 09:00:48 UTC

Yes, John

I can make it by your suggestion.

Still using RHEL-6.8-20160407.0 and SAM-1.4.1-RHEL-6-20141113.0:

1. Registration and checking valid date of cert.pem.

[root@dhcp-129-237 ~]# subscription-manager register
Registering to: samserv.redhat.com:443/sam/api
Username: admin
Password: 
The system has been registered with ID: df196400-f874-4ae8-b7d8-ff06a3e50c69 

[root@dhcp-129-237 ~]# subscription-manager identity
system identity: df196400-f874-4ae8-b7d8-ff06a3e50c69
name: dhcp-129-237.nay.redhat.com
org name: ACME_Corporation
org ID: ACME_Corporation

[root@dhcp-129-237 ~]# rct cat-cert /etc/pki/consumer/cert.pem | grep Date
	Start Date: 2016-04-18 08:38:11+00:00
	End Date: 2032-04-18 08:38:11+00:00     < ===== 

2. Set proper the system dates of server and client:

[root@dhcp-129-237 ~]# date -s 20320401
Thu Apr  1 00:00:00 EDT 2032

[root@samserv ~]# date -s 20320401
Thu Apr  1 00:00:00 EDT 2032

3. Restart rhsmcertd service and wait 2 minutes to check cert.pem.

[root@dhcp-129-237 ~]# service rhsmcertd restart
Stopping rhsmcertd...                                      [  OK  ]
Starting rhsmcertd...                                      [  OK  ]

[root@dhcp-129-237 ~]# sleep 120

[root@dhcp-129-237 ~]# subscription-manager identity
system identity: df196400-f874-4ae8-b7d8-ff06a3e50c69
name: dhcp-129-237.nay.redhat.com
org name: ACME_Corporation
org ID: ACME_Corporation

[root@dhcp-129-237 ~]# rct cat-cert /etc/pki/consumer/cert.pem | grep Date
	Start Date: 2032-04-01 04:02:20+00:00   < =====
	End Date: 2048-04-01 04:02:20+00:00


So close this bug.

Note You need to log in before you can comment on or make changes to this bug.