Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2043600 - consumer certificate is generated with validity after 19th Jan 2038 which is causing 2038 bug on 32bit systems
Summary: consumer certificate is generated with validity after 19th Jan 2038 which is ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Candlepin
Version: 6.10.2
Hardware: i686
OS: All
unspecified
medium
Target Milestone: 6.13.0
Assignee: satellite6-bugs
QA Contact: Vladimír Sedmík
URL:
Whiteboard:
Depends On: 2045066
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-21 15:39 UTC by Jan Jansky
Modified: 2023-05-03 13:21 UTC (History)
3 users (show)

Fixed In Version: candlepin-4.2.0-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2045066 (view as bug list)
Environment:
Last Closed: 2023-05-03 13:21:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-14334 0 None None None 2022-12-08 15:23:05 UTC
Red Hat Product Errata RHSA-2023:2097 0 None None None 2023-05-03 13:21:16 UTC

Description Jan Jansky 2022-01-21 15:39:17 UTC 
Description of problem:
When registering 32 bit system to Satellite consumer certificate will get created with validity after 19th Jan 2038 which is causing 2038 bug (https://access.redhat.com/articles/2596)


Version-Release number of selected component (if applicable):
Found on cu Satellite 6.8, but same tested on Satellite 6.10.1


How reproducible:
Always


Steps to Reproduce:
on 32 bit system
1. rpm -Uvh http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
2. subscription-manager register

Actual results:
2022-01-20 07:54:07,260 [ERROR] subscription-manager:6126:MainThread @managercli.py:181 - Error during registration: tim
estamp out of range for platform time_t
2022-01-20 07:54:07,261 [ERROR] subscription-manager:6126:MainThread @managercli.py:182 - timestamp out of range for pla
tform time_t
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/subscription_manager/managercli.py", line 1113, in _do_command
    type=self.options.consumertype
  File "/usr/lib/python2.6/site-packages/rhsmlib/services/register.py", line 84, in register
    managerlib.persist_consumer_cert(consumer)
  File "/usr/lib/python2.6/site-packages/subscription_manager/managerlib.py", line 69, in persist_consumer_cert
    consumer = identity.ConsumerIdentity(consumerinfo['idCert']['key'], consumerinfo['idCert']['cert'])
  File "/usr/lib/python2.6/site-packages/subscription_manager/identity.py", line 80, in __init__
    self.x509 = create_from_pem(certstring)
  File "/usr/lib/python2.6/site-packages/rhsm/certificate.py", line 61, in create_from_pem
    return _CertFactory().create_from_pem(pem)
  File "/usr/lib/python2.6/site-packages/rhsm/certificate2.py", line 82, in create_from_pem
    return self._read_x509(_certificate.load(pem=pem), path, pem)
  File "/usr/lib/python2.6/site-packages/rhsm/certificate2.py", line 113, in _read_x509
    raise CertificateException(str(e))
CertificateException: timestamp out of range for platform time_t

Expected results:
Successful registration

Additional info:
Comment 2 Barnaby Court 2022-01-21 15:49:00 UTC 
Hi, The simplest workaround would be to change the candlepin configuration to only create certificates with a 5 year lifespan. That would extend this to 2033 before customer run into the issue. At that point all systems affected by this should be well out of service. This can be done by setting the candlepin config variable of candlepin.identityCert.yr.addendum=5 in the /etc/candlepin/candlepin.conf
Comment 3 Jan Jansky 2022-01-21 16:14:05 UTC 
Workaround tested on Satellite 6.10.1 without issues on 64bit system, but validity correct as below.


# date
Pá led 21 16:12:35 UTC 2022
# subscription-manager register
# openssl x509 -in /etc/pki/consumer/cert.pem -noout -text | grep "Not After"
            Not After : Jan 21 16:12:47 2027 GMT
Comment 8 Vladimír Sedmík 2023-02-28 10:16:20 UTC 
Verified in 6.13.0 snap 12 (candlepin-4.2.13-1.el8sat.noarch)

Newly registered or re-registered hosts are provided with a 5-year lifespan certificate:
[root@host ~]# openssl x509 -in /etc/pki/consumer/cert.pem -noout -text | grep "Not"
            Not Before: Feb 28 08:35:39 2023 GMT
            Not After : Feb 28 09:35:39 2028 GMT
Comment 11 errata-xmlrpc 2023-05-03 13:21:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2097
Note You need to log in before you can comment on or make changes to this bug.