Description of problem: RHNS-CA-CERT contains CA certificates valid until 2013. Lifetime of RHEL5 probably extends beyond this so we have to include new certificate valid after 2013. New cert have to have serial != 0. Version-Release number of selected component (if applicable): rhn-client-tools-0.4.20-9.el5 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Also remove the bad redundant cert (2nd certificate in the list: Validity Not Before: Sep 5 20:45:16 2002 GMT Not After : Sep 9 20:45:16 2007 GMT )
Can anyone please generate that certificate? We can probably generate it within our team, but I suppose it is not desired.
marked as a blocker with security keyword because this will have a customer impact which could stop customers getting security updates. If we do not include the new CA then RHEL5.5 will stop accepting updates from RHN in 2013. Of course we can push a new package to 5.5.z or 5.6 before 2013 with a new CA, but anyone in 2013 who installs from a 5.5 ISO (or previous) will not be able to get any security updates automatically.
(note this is RHBA-2009:9254)
Created attachment 397017 [details] New CA certificate (not new complete file)
Created attachment 397019 [details] replacement RHNS-CA-CERT file
Fixed spacewalk (upstream) version of rhn-client-tools: commit 31fb4296ee9825469cb6687a84f83b44ad639e10 Automatic commit of package [rhn-client-tools] release [0.9.4-1]. commit 27474175a8f25d0d62bb28adda181ea2cb5a5f2c added new CA key valid until 2020
Fixed RHEL5.5 version (svn): ------------------------------------------------------------------------ r191147 | mmraka | 2010-03-01 11:22:53 +0100 (Mon, 01 Mar 2010) | 2 lines removed expired CA certs and added new CA cert valid until 2020
New build containing the new CA certificate: rhn-client-tools-0.4.20-32.el5 QA: Test registration with rhn.redhat.com & SSL enabled.
c18: note that "openssl x509" command will only show you the first CA it comes across, not all the CA's that are in the file. To verify the cert you'd have to cut and paste it out before passing to openssl x509.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0270.html