772936 – [RFE]: Show a warning when server time and client time drift is big

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 772936 - [RFE]: Show a warning when server time and client time drift is big

Summary: [RFE]: Show a warning when server time and client time drift is big

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.0
Assignee:	Bryan Kearney
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	rhsm-rhel70
TreeView+	depends on / blocked

Reported:	2012-01-10 11:48 UTC by Lukas Zapletal
Modified:	2014-06-24 21:31 UTC (History)
CC List:	4 users (show)
Fixed In Version:	1.8.2
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 09:52:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	772935	0	unspecified	CLOSED	RFE: Add an API call that shows servers date and time in UTC	2021-02-22 00:41:40 UTC

Internal Links: 772935

Description Lukas Zapletal 2012-01-10 11:48:29 UTC

When time and date of server and client differs, certificate validation can
fail.

Show a warning message to the user both in UI and TUI interfaces and also log a warning message in the log in case server time is different.

Server support needed for this new feature: https://bugzilla.redhat.com/show_bug.cgi?id=772935

Comment 3 RHEL Program Management 2012-07-10 08:48:45 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 4 RHEL Program Management 2012-07-11 02:08:51 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 5 Tom Lavigne 2012-09-07 15:20:40 UTC

This request was evaluated by Red Hat Product Management for 
inclusion in the current release of Red Hat Enterprise Linux.
Since we are unable to provide this feature at this time,  
it has been proposed for the next release of 
Red Hat Enterprise Linux.

Comment 7 Bryan Kearney 2012-12-20 21:35:58 UTC

https://github.com/candlepin/python-rhsm/pull/50

Comment 8 Bryan Kearney 2013-01-04 16:34:09 UTC

commit ec293ec10205e71132d90118534592c67a6abbeb
Author: Bryan Kearney <bkearney>
Date:   Fri Dec 14 16:21:20 2012 -0500

    772936: Warn the user when clock skew is detected.
    
    All server responses are required to contain a date header. This
    header is used to look for instances where the time on the local machine
    is more that 6 hours off of the server. The time is arbitrary.
    
    This should catch cases where the local machine is mis-configured. It is
    possible that it will not catch when the candlepin server clock is off
    since the header may come from the apache server.

Comment 9 Bryan Kearney 2013-02-08 17:18:44 UTC

Fixed in the 1.8.2 version of subscription-manager or python-rhsm

Comment 11 Sharath Dwaral 2013-02-27 15:58:06 UTC

Please ignore the Comment 10

Comment 12 Sharath Dwaral 2013-02-27 18:35:22 UTC

# rpm -qa | egrep "subscription-manager|python-rhsm"
python-rhsm-1.8.3-1.el7.x86_64
subscription-manager-gui-1.8.3-1.el7.x86_64
subscription-manager-migration-1.8.3-1.el7.x86_64
subscription-manager-debuginfo-1.8.3-1.el7.x86_64
subscription-manager-1.8.3-1.el7.x86_64
subscription-manager-firstboot-1.8.3-1.el7.x86_64
python-rhsm-debuginfo-1.8.3-1.el7.x86_64

This is tested for 2 senarios a "past date" and "future date". Each of these senarios have 2 cases "insecure = 0" and  "insecure = 1"

Senario 1: Past Date

case 1:  insecure = 0

Candlepin

# date
Wed Feb 27 12:44:30 EST 2013

Client

# date
Wed Feb 27 12:44:07 EST 2013

# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.

# date -s "Sun Feb 24 12:44:07 EST 2013"
Sun Feb 24 12:44:07 EST 2013

# cat /etc/rhsm/rhsm.conf | grep insecure
insecure = 0

# subscription-manager register
Username: testuser1
Password: 
certificate verify failed

# cat /var/log/rhsm/rhsm.log | egrep "2013-02-24 12:.*time"


case 2:    insecure = 1

Candlepin

# date
Wed Feb 27 13:08:50 EST 2013

Client

# date
Sun Feb 24 13:08:39 EST 2013

# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.

# cat /etc/rhsm/rhsm.conf | grep insecure
insecure = 1

# subscription-manager register
Username: testuser1
Password: 
Organization: snowwhite
The system has been registered with id: e72744fc-16dc-414c-851b-0207922a155f 

# cat /var/log/rhsm/rhsm.log | egrep "2013-02-24 13:.*time"
2013-02-24 13:10:28,533 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:28,629 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:28,726 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:35,015 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:39,807 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:39,908 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:40,005 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:40,129 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time


Senario 2: Future date

case 1: insecure = 0 

Candlepin:

# date
Wed Feb 27 13:16:45 EST 2013

Client

# date
Sun Feb 24 13:14:30 EST 2013

# date -s "Fri Mar 01 13:14:30 EST 2013"
Fri Mar  1 13:14:30 EST 2013

# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.

# cat /etc/rhsm/rhsm.conf | grep insecure
insecure = 0

# subscription-manager register
Username: testuser1
Password: 
Organization: snowwhite
The system has been registered with id: e7320383-4598-487f-adaa-7af912ea20ed 

# cat /var/log/rhsm/rhsm.log | egrep "2013-03-01 13:.*time"
2013-03-01 13:14:51,753 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:14:51,851 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:14:51,946 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:16,816 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:16,916 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:17,013 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:22,580 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:25,883 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:25,984 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:26,082 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:26,189 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time


case 2: insecure = 1 

Candlepin:

# date
Wed Feb 27 13:25:29 EST 2013

Client

# date
Fri Mar  1 13:19:37 EST 2013

# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.

# cat /etc/rhsm/rhsm.conf | grep insecure
insecure = 1

# subscription-manager register
Username: testuser1
Password: 
Organization: snowwhite
The system has been registered with id: 2bbfccd0-3c44-418d-ae89-0ee101bdf73b 

# cat /var/log/rhsm/rhsm.log | egrep "2013-03-01 13:2.*time"
2013-03-01 13:20:09,542 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:20:09,641 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:20:09,747 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:14,911 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:15,008 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:15,104 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:22,233 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:25,850 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:25,951 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:26,046 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:26,150 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time


Findings:

On "past date" when insecure = 0 message in stdout is "certificate verify failed" and does not tell us why. 
On "future date" when insecure is either 0 the certs are not validated

Suggestions:

On "past date" when insecure = 0 we could have "Clock skew detected, please check your system time" sent to stdout.
On "future date" when insecure = 0 certs should be validated and we could have "Clock skew detected, please check your system time" sent to stdout

Comment 13 Bryan Kearney 2013-04-16 20:51:18 UTC

This is pretty low likelyhood, so I would prefer to not corrupt the stdout. The current implementation meets the original RFE.. so I am moving this back to ON_QA.

Comment 14 John Sefler 2013-04-23 20:45:01 UTC

Verifying Version...
[root@jsefler-7 ~]# rpm -q subscription-manager
subscription-manager-1.8.6-1.el7.x86_64




[root@jsefler-7 ~]# rm -f /var/log/rhsm/rhsm.log
[root@jsefler-7 ~]# date
Tue Apr 23 16:37:03 EDT 2013
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.8.4-1
subscription-manager: 1.8.6-1.el7
python-rhsm: 1.8.9-1.el7
[root@jsefler-7 ~]# grep -i "clock" /var/log/rhsm/rhsm.log -B2
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rm -f /var/log/rhsm/rhsm.log
[root@jsefler-7 ~]# date -s "-7 hours"
Tue Apr 23 09:37:50 EDT 2013
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.8.4-1
subscription-manager: 1.8.6-1.el7
python-rhsm: 1.8.9-1.el7
[root@jsefler-7 ~]# grep -i "clock" /var/log/rhsm/rhsm.log -B2
2013-04-23 09:38:00,311 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/
2013-04-23 09:38:00,350 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 09:38:00,351 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
--
2013-04-23 09:38:00,357 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/status
2013-04-23 09:38:00,393 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 09:38:00,393 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
--
2013-04-23 09:38:00,398 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/status
2013-04-23 09:38:00,433 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 09:38:00,434 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rm -f /var/log/rhsm/rhsm.log
[root@jsefler-7 ~]# date -s "+14 hours"
Tue Apr 23 23:38:57 EDT 2013
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.8.4-1
subscription-manager: 1.8.6-1.el7
python-rhsm: 1.8.9-1.el7
[root@jsefler-7 ~]# grep -i "clock" /var/log/rhsm/rhsm.log -B2
2013-04-23 23:39:05,805 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/
2013-04-23 23:39:05,859 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 23:39:05,861 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
--
2013-04-23 23:39:05,870 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/status
2013-04-23 23:39:05,905 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 23:39:05,906 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
--
2013-04-23 23:39:05,912 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/status
2013-04-23 23:39:05,943 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 23:39:05,944 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rm -f /var/log/rhsm/rhsm.log
[root@jsefler-7 ~]# date -s "-7 hours"
Tue Apr 23 16:39:31 EDT 2013
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.8.4-1
subscription-manager: 1.8.6-1.el7
python-rhsm: 1.8.9-1.el7
[root@jsefler-7 ~]# grep -i "clock" /var/log/rhsm/rhsm.log -B2
[root@jsefler-7 ~]# 



VERIFIED: When the system's clock is either behind or ahead of the candlepin server's clock by more than 6 hours (tested with a 7 hour skew), a warning is logged to rhsm.log after each response from the server.

Comment 15 Ludek Smid 2014-06-13 09:52:01 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.