Bug 1419576 - [RFE] Set certificate start time to one hour before current time instead of current time.
Summary: [RFE] Set certificate start time to one hour before current time instead of c...
Alias: None
Product: Candlepin
Classification: Community
Component: candlepin
Version: 2.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 2.0
Assignee: William Poteat
QA Contact: Katello QA List
: 1187662 1423768 (view as bug list)
Depends On:
Blocks: 1214240
TreeView+ depends on / blocked
Reported: 2017-02-06 14:44 UTC by Stephen Benjamin
Modified: 2021-03-18 11:24 UTC (History)
9 users (show)

Fixed In Version: candlepin-2.0.30-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-22 18:12:01 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github /candlepin candlepin pull 1493 0 None None None 2020-05-07 02:56:34 UTC

Description Stephen Benjamin 2017-02-06 14:44:23 UTC
For Satellite, we issue all certificates from a Candlepin instance running on the main server, however we end up verifying the certificates on the capsule through an RHSM proxy.

When using subscription-manager to register a host, and if the Satellite and Capsule do not have *exact* time synchronization, then the subscription-manager register request succeeds, the client gets issued a certificate, and then it tries almost immediately to make a second connection using it's new client certificate and fails.

Because of how the capsule is setup, we do the verification on the certificate there - and if the capsule's time is slightly behind the satellite, then the capsule thinks the certificate isn't valid yet, i.e. it's issued for a future time.  This happens even with a couple of seconds difference.

Would it be possible to issue these certificates at the start of the day?

Comment 1 Chris Snyder 2017-02-06 15:35:22 UTC
Would issuing the certificates 1 hour before the current time be sufficient to accommodate capsule time skew? Starting on the beginning of the day every day would result in this issue occurring again once a day.

Comment 2 Stephen Benjamin 2017-02-06 15:38:10 UTC
They'd have to run subscription-manager within a few seconds of 00:00 to cause the problem, but I guess that could still be an issue.  An hour before would work perfectly. If you'd rather not hard code something maybe we could have Katello send the start time for the cert in the API call.

Comment 4 Kevin Howell 2017-02-20 15:04:30 UTC
*** Bug 1423768 has been marked as a duplicate of this bug. ***

Comment 6 Barnaby Court 2017-02-23 15:22:25 UTC
For temporary guest subscriptions the entitlement cert would start 1 hour before registration time instead of at the registration time. The end time remains unchanged.

Comment 7 William Poteat 2017-03-10 18:36:22 UTC
Pending change https://github.com/candlepin/candlepin/pull/1493

Comment 8 William Poteat 2017-03-27 19:07:16 UTC
Master commit 9302c8f57f37dd5ec3c4020770ac1675a87d99ba

Comment 9 Nikos Moumoulidis 2021-03-18 11:24:50 UTC
*** Bug 1187662 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.