Hide Forgot
Description of problem: Failed to auto-regenarate identity cert Version-Release number of selected component (if applicable): subscription-manager: 1.16.8-8.el6 python-rhsm: 1.16.6-1.el6 How reproducible: always Steps to Reproduce: 1. Regiter RHEL-6.8-20160407.0 to SAM-1.4.1-RHEL-6-20141113.0 2. Check the valid date of cert. [root@dhcp-129-237 ~]# rct cat-cert /etc/pki/consumer/cert.pem +-------------------------------------------+ Identity Certificate +-------------------------------------------+ Certificate: Path: /etc/pki/consumer/cert.pem Version: 1.0 Serial: 1751166070585918506 Start Date: 2016-04-14 07:08:22+00:00 End Date: 2032-04-14 07:08:22+00:00 <===================== Alt Name: DirName:/CN=dhcp-129-237.nay.redhat.com Subject: CN: e70a2aec-bf97-4e42-8712-9b068ffcd690 Issuer: C: US CN: samserv.redhat.com L: Raleigh O: SomeOrg OU: SomeOrgUnit ST: North Carolina 3. Set the expiration date of the cert, both on client and server. [root@dhcp-129-237 ~]# date -s "2032-04-15" Thu Apr 15 00:00:00 EDT 2032 4. Restart rhsmcertd service. [root@dhcp-129-237 ~]# service rhsmcertd restart Stopping rhsmcertd... [ OK ] Starting rhsmcertd... [ OK ] 5. Check the regeneration of cert. [root@dhcp-129-237 ~]# sleep 180 [root@dhcp-129-237 ~]# rct cat-cert /etc/pki/consumer/cert.pem +-------------------------------------------+ Identity Certificate +-------------------------------------------+ Certificate: Path: /etc/pki/consumer/cert.pem Version: 1.0 Serial: 1751166070585918506 Start Date: 2016-04-14 07:08:22+00:00 <============ End Date: 2032-04-14 07:08:22+00:00 <=========== Alt Name: DirName:/CN=dhcp-129-237.nay.redhat.com Subject: CN: e70a2aec-bf97-4e42-8712-9b068ffcd690 Issuer: C: US CN: samserv.redhat.com L: Raleigh O: SomeOrg OU: SomeOrgUnit ST: North Carolina Actual results: As step 5 Expected results: The valid date in step 5, should start from 2032 to 2048 Additional info:
Attachments 'rhsm.log' and 'rhsmcertd.log'
Created attachment 1147060 [details] rhsm.log
Created attachment 1147061 [details] rhsmcertd.log
The test procedure in comment 0 is wrong. By advancing the date of the client and candlepin server beyond the expiration of the consumer cert, you have passed the window of opportunity for a consumer cert to be automatically regenerated by the candlepin server. Once the identity cert expires, it is too late to communicate with the candlepin server. Here is the candlepin.conf configuration that governs the window of automatic identity cert generation... # number of days before the expiration date for a consumer cert to be automatically regenerated during an rhsmcertd update (default is 90 days) candlepin.identityCert.expiry.threshold = 90 Therefore, the test procedure in comment 0 should be changed to advance the clock to a few days *before* the identity certificate end date (not after) and re-tested.
Yes, John I can make it by your suggestion. Still using RHEL-6.8-20160407.0 and SAM-1.4.1-RHEL-6-20141113.0: 1. Registration and checking valid date of cert.pem. [root@dhcp-129-237 ~]# subscription-manager register Registering to: samserv.redhat.com:443/sam/api Username: admin Password: The system has been registered with ID: df196400-f874-4ae8-b7d8-ff06a3e50c69 [root@dhcp-129-237 ~]# subscription-manager identity system identity: df196400-f874-4ae8-b7d8-ff06a3e50c69 name: dhcp-129-237.nay.redhat.com org name: ACME_Corporation org ID: ACME_Corporation [root@dhcp-129-237 ~]# rct cat-cert /etc/pki/consumer/cert.pem | grep Date Start Date: 2016-04-18 08:38:11+00:00 End Date: 2032-04-18 08:38:11+00:00 < ===== 2. Set proper the system dates of server and client: [root@dhcp-129-237 ~]# date -s 20320401 Thu Apr 1 00:00:00 EDT 2032 [root@samserv ~]# date -s 20320401 Thu Apr 1 00:00:00 EDT 2032 3. Restart rhsmcertd service and wait 2 minutes to check cert.pem. [root@dhcp-129-237 ~]# service rhsmcertd restart Stopping rhsmcertd... [ OK ] Starting rhsmcertd... [ OK ] [root@dhcp-129-237 ~]# sleep 120 [root@dhcp-129-237 ~]# subscription-manager identity system identity: df196400-f874-4ae8-b7d8-ff06a3e50c69 name: dhcp-129-237.nay.redhat.com org name: ACME_Corporation org ID: ACME_Corporation [root@dhcp-129-237 ~]# rct cat-cert /etc/pki/consumer/cert.pem | grep Date Start Date: 2032-04-01 04:02:20+00:00 < ===== End Date: 2048-04-01 04:02:20+00:00 So close this bug.