Description of problem:
When adding a new custom product into Satellite, it is not available to the content hosts.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a new custom product
2. Attach its subscription to a content host
2. Login to the host and run:
subscription-manager list --consumed
The subscription of the custom product is not consumed by the host
The subscription of the custom product should be consumed by the host
The issue is caused by the expiry date of the subscription. It is set as 2050-01-02 11:40:40 +1000. According to this code
No certificate is issued thus none of the hosts can consume that subscription.
According to RFC 5280 for x.509 PKI certificates:
CAs conforming to this profile MUST always encode certificate
validity dates through the year 2049 as UTCTime; certificate validity
dates in 2050 or later MUST be encoded as GeneralizedTime.
Conforming applications MUST be able to process validity dates that
are encoded in either UTCTime or GeneralizedTime.
The validity period for a certificate is the period of time from
notBefore through notAfter, inclusive.
Seems like subscription-manager (python-rhsm) might use only UTCTime so it can't consume certificates with expiration dates later than 2050. Since new custom products in Satellite get certificates with +30 years validity, all custom products created in 2020 might be not accessible by clients.
The workaround would be publishing repository content over HTTP and consuming directly or changing expiration date in the db, running Katello reimport and subscription-manager refresh on the clients.
Upstream bug assigned to email@example.com
We are working on a fix for this BZ that will land in 6.4, 6.5 and 6.6
Verified in Satellite 6.7 Snap 9
After creating a custom product/repo, the host was able to successfully consume the subscription and all repository details are in place.
[root@prehost ~]# cat /etc/yum.repos.d/redhat.repo
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
# *** This file is auto-generated. Changes made here will be over-written. ***
# *** Use "subscription-manager repo-override --help" if you wish to make changes. ***
# If this file is empty and this system is subscribed consider
# a "yum repolist" to refresh available repos
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/4734746291144165060.pem
baseurl = https://my.sat.host/pulp/repos/Default_Organization/Library/custom/custom/test
sslverify = 1
name = test
sslclientkey = /etc/pki/entitlement/4734746291144165060-key.pem
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1
I have a customer, he is on Satellite 6.6.2 and seems that he has applied the patch 6.6: https://bugzilla.redhat.com/show_bug.cgi?id=1789888
but yet he is facing the same issue.
Is there anyone else facing it even after applying the patch? Also, when he created a custom product with end date 2049/12/01 00:00:00, so the script does not help in this case.
Can someone look into this?
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.