Bug 1789654 (sat6-y2k20) - Custom products created after JAN-2020 can't be consumed by hosts [NEEDINFO]
Summary: Custom products created after JAN-2020 can't be consumed by hosts
Keywords:
Status: CLOSED ERRATA
Alias: sat6-y2k20
Product: Red Hat Satellite
Classification: Red Hat
Component: Content Management
Version: 6.6.0
Hardware: All
OS: Unspecified
unspecified
urgent
Target Milestone: 6.7.0
Assignee: Justin Sherrill
QA Contact: jcallaha
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-10 02:03 UTC by matt jia
Modified: 2020-10-13 16:49 UTC (History)
51 users (show)

Fixed In Version: tfm-rubygem-katello-3.14.0.4-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1789886 1789887 1789888 (view as bug list)
Environment:
Last Closed: 2020-04-14 13:28:29 UTC
Target Upstream Version:
jfrancoa: needinfo? (vdeshpan)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 28714 Normal Closed custom products can't be consumed by hosts 2020-10-22 08:59:23 UTC
Github Katello katello pull 8507 None closed Fixes #28714 - Limit the certificate end date to late 2049 2020-10-22 08:59:24 UTC
Red Hat Knowledge Base (Solution) 4729031 None None None 2020-01-13 01:58:45 UTC
Red Hat Product Errata RHSA-2020:1454 None None None 2020-04-14 13:28:44 UTC

Description matt jia 2020-01-10 02:03:00 UTC
Description of problem:

When adding a new custom product into Satellite, it is not available to the content hosts.

Version-Release number of selected component (if applicable):

Easy


How reproducible:

Steps to Reproduce:
1. Create a new custom product
2. Attach its subscription to a content host
2. Login to the host and run:

subscription-refresh
subscription-manager list --consumed

Actual results:

The subscription of the custom product is not consumed by the host


Expected results:

The subscription of the custom product should be consumed by the host


Additional info:

The issue is caused by the expiry date of the subscription. It is set as 2050-01-02 11:40:40 +1000. According to this code

https://github.com/candlepin/candlepin/blob/5b87865f304555c112982af4fbc83a1c463d37b2/server/src/main/java/org/candlepin/model/UeberCertificateGenerator.java#L263

No certificate is issued thus none of the hosts can consume that subscription.

Comment 4 Alexey Masolov 2020-01-10 02:41:00 UTC
According to RFC 5280 for x.509 PKI certificates: 

   CAs conforming to this profile MUST always encode certificate
   validity dates through the year 2049 as UTCTime; certificate validity
   dates in 2050 or later MUST be encoded as GeneralizedTime.
   Conforming applications MUST be able to process validity dates that
   are encoded in either UTCTime or GeneralizedTime.

   The validity period for a certificate is the period of time from
   notBefore through notAfter, inclusive.

Seems like subscription-manager (python-rhsm) might use only UTCTime so it can't consume certificates with expiration dates later than 2050. Since new custom products in Satellite get certificates with +30 years validity, all custom products created in 2020 might be not accessible by clients. 

The workaround would be publishing repository content over HTTP and consuming directly or changing expiration date in the db, running Katello reimport and subscription-manager refresh on the clients.

Comment 10 Bryan Kearney 2020-01-10 15:04:37 UTC
Upstream bug assigned to jsherril@redhat.com

Comment 11 Bryan Kearney 2020-01-10 15:04:39 UTC
Upstream bug assigned to jsherril@redhat.com

Comment 14 Mike McCune 2020-01-10 21:00:13 UTC
We are working on a fix for this BZ that will land in 6.4, 6.5 and 6.6

Comment 16 jcallaha 2020-01-24 21:46:43 UTC
Verified in Satellite 6.7 Snap 9

After creating a custom product/repo, the host was able to successfully consume the subscription and all repository details are in place.

[root@prehost ~]# cat /etc/yum.repos.d/redhat.repo
#
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
#
# *** This file is auto-generated.  Changes made here will be over-written. ***
# *** Use "subscription-manager repo-override --help" if you wish to make changes. ***
#
# If this file is empty and this system is subscribed consider 
# a "yum repolist" to refresh available repos
#

[Default_Organization_custom_test]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/4734746291144165060.pem
baseurl = https://my.sat.host/pulp/repos/Default_Organization/Library/custom/custom/test
sslverify = 1
name = test
sslclientkey = /etc/pki/entitlement/4734746291144165060-key.pem
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

Comment 23 Vedashree Deshpande 2020-03-03 17:18:37 UTC
Hello, 

I have a customer, he is on Satellite 6.6.2 and seems that he has applied the patch 6.6: https://bugzilla.redhat.com/show_bug.cgi?id=1789888
but yet he is facing the same issue. 

Is there anyone else facing it even after applying the patch? Also, when he created a custom product with end date 2049/12/01 00:00:00, so the script does not help in this case. 

Can someone look into this?

Comment 30 errata-xmlrpc 2020-04-14 13:28:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454


Note You need to log in before you can comment on or make changes to this bug.