For Satellite, we issue all certificates from a Candlepin instance running on the main server, however we end up verifying the certificates on the capsule through an RHSM proxy.
When using subscription-manager to register a host, and if the Satellite and Capsule do not have *exact* time synchronization, then the subscription-manager register request succeeds, the client gets issued a certificate, and then it tries almost immediately to make a second connection using it's new client certificate and fails.
Because of how the capsule is setup, we do the verification on the certificate there - and if the capsule's time is slightly behind the satellite, then the capsule thinks the certificate isn't valid yet, i.e. it's issued for a future time. This happens even with a couple of seconds difference.
Would it be possible to issue these certificates at the start of the day?
Would issuing the certificates 1 hour before the current time be sufficient to accommodate capsule time skew? Starting on the beginning of the day every day would result in this issue occurring again once a day.
They'd have to run subscription-manager within a few seconds of 00:00 to cause the problem, but I guess that could still be an issue. An hour before would work perfectly. If you'd rather not hard code something maybe we could have Katello send the start time for the cert in the API call.
*** Bug 1423768 has been marked as a duplicate of this bug. ***
For temporary guest subscriptions the entitlement cert would start 1 hour before registration time instead of at the registration time. The end time remains unchanged.
Pending change https://github.com/candlepin/candlepin/pull/1493
Master commit 9302c8f57f37dd5ec3c4020770ac1675a87d99ba
*** Bug 1187662 has been marked as a duplicate of this bug. ***